How to output from lookup table if a field value i...

epw0rrell · ‎12-10-2020

I know how to use eval and if statements to pull fields that contain a %.value.% but how can I use this when running a search | lookup and output fields that contain a value of a field within the search? Let me know if you need an example search or more context. Thanks to anyone that can help me with this.

ITWhisperer · ‎12-10-2020

An example and more context would be helpful

epw0rrell · ‎12-10-2020

I have one index of alerts containing a field named "alertDomain" with values like "domain.com."

I have a lookup table with urls sent within emails with values like http://www.domain.com/otherplaces

I would like to run a search like this:

index=alerts | lookup emailURLs.csv emailURL as alertDomain OUTPUT emailURL as phishingURL | table phishingURL

but I know this won't work because the fields will not match. I need to OUTPUT the emailURL if it simply contains the value within alertDomain.

Is this a bit better?

ITWhisperer · ‎12-10-2020

Can you add another column to the emailURLs.csv file with the domain part of the URL so that you can get a match?

epw0rrell · ‎12-10-2020

Unfortunately there is only a URL field within the logs. Unless I can use a clever field extraction on the URL, I would need to go about it from this direction.

How to output from lookup table if a field value is included anywhere within table field

eval

lookup

table

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?