Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to run/optimize long ad-hoc searches with lookup

dauren_akilbeko
Communicator
‎07-08-2021 01:03 AM

I'm trying to see if there are hits with Kaseya related domains in my Web datamodel. As I understand we need to use wildcard lookup or trim Web.url to match domains in  the lookup Splunk-REvil-Kaseya-IOCs/domains.csv at main · davisshannon/Splunk-REvil-Kaseya-IOCs (github.com)

What I've tried so far:

 

| tstats summariesonly=true latest("_time") values("Web.src") values("Web.dest") from datamodel="Web"."Web" by "Web.url" "Web.user"
| eval list="*"
| `ut_parse(Web.url, list)`
| lookup kaseya_domains domain AS ut_domain OUTPUT domain
| where isnotnull('domain')

 


It works, but not for a longer period of times (7 days or more). What are my options?

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2021 06:06 AM

When it doesn't work, what happens?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dauren_akilbeko
Communicator
‎07-08-2021 06:08 AM

It times out or DAG errors.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...