Re: How to output from lookup table if a field val...

epw0rrell · ‎12-10-2020

I know how to use eval and if statements to pull fields that contain a %.value.% but how can I use this when running a search | lookup and output fields that contain a value of a field within the search? Let me know if you need an example search or more context. Thanks to anyone that can help me with this.

ITWhisperer · ‎12-10-2020

An example and more context would be helpful

epw0rrell · ‎12-10-2020

I have one index of alerts containing a field named "alertDomain" with values like "domain.com."

I have a lookup table with urls sent within emails with values like http://www.domain.com/otherplaces

I would like to run a search like this:

index=alerts | lookup emailURLs.csv emailURL as alertDomain OUTPUT emailURL as phishingURL | table phishingURL

but I know this won't work because the fields will not match. I need to OUTPUT the emailURL if it simply contains the value within alertDomain.

Is this a bit better?

ITWhisperer · ‎12-10-2020

Can you add another column to the emailURLs.csv file with the domain part of the URL so that you can get a match?

epw0rrell · ‎12-10-2020

Unfortunately there is only a URL field within the logs. Unless I can use a clever field extraction on the URL, I would need to go about it from this direction.

How to output from lookup table if a field value is included anywhere within table field

eval

lookup

table

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation