Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to run/optimize long ad-hoc searches with lookup

dauren_akilbeko
Communicator
‎07-08-2021 01:03 AM

I'm trying to see if there are hits with Kaseya related domains in my Web datamodel. As I understand we need to use wildcard lookup or trim Web.url to match domains in  the lookup Splunk-REvil-Kaseya-IOCs/domains.csv at main · davisshannon/Splunk-REvil-Kaseya-IOCs (github.com)

What I've tried so far:

 

| tstats summariesonly=true latest("_time") values("Web.src") values("Web.dest") from datamodel="Web"."Web" by "Web.url" "Web.user"
| eval list="*"
| `ut_parse(Web.url, list)`
| lookup kaseya_domains domain AS ut_domain OUTPUT domain
| where isnotnull('domain')

 


It works, but not for a longer period of times (7 days or more). What are my options?

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2021 06:06 AM

When it doesn't work, what happens?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dauren_akilbeko
Communicator
‎07-08-2021 06:08 AM

It times out or DAG errors.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...