Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to output from lookup table if a field value is included anywhere within table field

epw0rrell
Path Finder
‎12-10-2020 10:02 AM

I know how to use eval and if statements to pull fields that contain a %.value.% but how can I use this when running a search | lookup and output fields that contain a value of a field within the search?  Let me know if you need an example search or more context.  Thanks to anyone that can help me with this.

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-10-2020 10:29 AM

An example and more context would be helpful

0 Karma
Reply

epw0rrell
Path Finder
‎12-10-2020 10:58 AM

I have one index of alerts containing a field named "alertDomain" with values like "domain.com."

I have a lookup table with urls sent within emails with values like http://www.domain.com/otherplaces 

I would like to run a search like this:

index=alerts | lookup emailURLs.csv emailURL as alertDomain OUTPUT emailURL as phishingURL | table phishingURL

but I know this won't work because the fields will not match.  I need to OUTPUT the emailURL if it simply contains the value within alertDomain.

Is this a bit better?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-10-2020 11:04 AM

Can you add another column to the emailURLs.csv file with the domain part of the URL so that you can get a match?

0 Karma
Reply

epw0rrell
Path Finder
‎12-10-2020 11:21 AM

Unfortunately there is only a URL field within the logs.  Unless I can use a clever field extraction on the URL, I would need to go about it from this direction.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...