Solved: How to lookup list of keywords with raw logs which...

kaskirana01 · ‎07-11-2016

Hi,

I have a list of executables uploaded as a lookup in Splunk and have proxy logs to compare against it.
I need to find out if any user is trying to download an executable in this list from the internet.

My index is bluecoat and lookup table is executable.
Someone please help.

sundareshr · ‎07-11-2016

Try this

index=bluecoat [ | inputlookup ListOfExes.csv | table FieldWithExeNames | rename FieldWithExeNames AS search] | rest of your query here

View solution in original post

sundareshr · ‎07-11-2016

Try this

index=bluecoat [ | inputlookup ListOfExes.csv | table FieldWithExeNames | rename FieldWithExeNames AS search] | rest of your query here

kaskirana01 · ‎07-11-2016

Thanks, but will it work if the executable are present in somewhere in the URL? Will it compare the exact keyword from lookup table with url field?

sundareshr · ‎07-12-2016

It should find it anywhere in the _raw event. But needs to be an exact match.

If that fails, you will have to extract the name of the exe into a separate field using regex. If you share raw event, someone can help you with the regex. In that event, you will need to change the query to this

index=bluecoat | YOUR REGEX TO EXTRACT EXE NAME TO SOME FIELD | search  [ | inputlookup ListOfExes.csv | table FieldWithExeNames] | rest of your query here

gfreitas · ‎07-11-2016

Could you provide more information on that? Example of logs and the lookup

kaskirana01 · ‎07-11-2016

Hi,
My index is bluecoat, and it has url field which contains the executable somewhere in the payload. The lookup contains list of executable.

How to lookup list of keywords with raw logs which are available in Splunk?

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)