Splunk Search
Highlighted

How to lookup list of keywords with raw logs which are available in Splunk?

New Member

Hi,

I have a list of executables uploaded as a lookup in Splunk and have proxy logs to compare against it.
I need to find out if any user is trying to download an executable in this list from the internet.

My index is bluecoat and lookup table is executable.
Someone please help.

0 Karma
Highlighted

Re: How to lookup list of keywords with raw logs which are available in Splunk?

Builder

Could you provide more information on that? Example of logs and the lookup

0 Karma
Highlighted

Re: How to lookup list of keywords with raw logs which are available in Splunk?

New Member

Hi,
My index is bluecoat, and it has url field which contains the executable somewhere in the payload. The lookup contains list of executable.

0 Karma
Highlighted

Re: How to lookup list of keywords with raw logs which are available in Splunk?

Legend

Try this

index=bluecoat [ | inputlookup ListOfExes.csv | table FieldWithExeNames | rename FieldWithExeNames AS search] | rest of your query here

View solution in original post

0 Karma
Highlighted

Re: How to lookup list of keywords with raw logs which are available in Splunk?

New Member

Thanks, but will it work if the executable are present in somewhere in the URL? Will it compare the exact keyword from lookup table with url field?

0 Karma
Highlighted

Re: How to lookup list of keywords with raw logs which are available in Splunk?

Legend

It should find it anywhere in the _raw event. But needs to be an exact match.

If that fails, you will have to extract the name of the exe into a separate field using regex. If you share raw event, someone can help you with the regex. In that event, you will need to change the query to this

index=bluecoat | YOUR REGEX TO EXTRACT EXE NAME TO SOME FIELD | search  [ | inputlookup ListOfExes.csv | table FieldWithExeNames] | rest of your query here
0 Karma