Splunk Search

How to lookup list of keywords with raw logs which are available in Splunk?

New Member

Hi,

I have a list of executables uploaded as a lookup in Splunk and have proxy logs to compare against it.
I need to find out if any user is trying to download an executable in this list from the internet.

My index is bluecoat and lookup table is executable.
Someone please help.

0 Karma
1 Solution

Legend

Try this

index=bluecoat [ | inputlookup ListOfExes.csv | table FieldWithExeNames | rename FieldWithExeNames AS search] | rest of your query here

View solution in original post

0 Karma

Legend

Try this

index=bluecoat [ | inputlookup ListOfExes.csv | table FieldWithExeNames | rename FieldWithExeNames AS search] | rest of your query here

View solution in original post

0 Karma

New Member

Thanks, but will it work if the executable are present in somewhere in the URL? Will it compare the exact keyword from lookup table with url field?

0 Karma

Legend

It should find it anywhere in the _raw event. But needs to be an exact match.

If that fails, you will have to extract the name of the exe into a separate field using regex. If you share raw event, someone can help you with the regex. In that event, you will need to change the query to this

index=bluecoat | YOUR REGEX TO EXTRACT EXE NAME TO SOME FIELD | search  [ | inputlookup ListOfExes.csv | table FieldWithExeNames] | rest of your query here
0 Karma

Builder

Could you provide more information on that? Example of logs and the lookup

0 Karma

New Member

Hi,
My index is bluecoat, and it has url field which contains the executable somewhere in the payload. The lookup contains list of executable.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!