How to search a CSV lookup table and return matche...

ehaile039 · ‎12-03-2015

Hi Splunkers,

I have a CSV file that contains several different IOCs, such as domains, hashes, ip addresses, and email addresses. I would like to perform a search and return all matches with a count.

file name:ioc.csv
column field :ioc
Example of CSV file:
ioc
badstuff.com
45CD661D53DFC80A0A5A7927F9EE313L

I am able to get the search to work and return the events with the following query:

 index=* sourcetype=* [|inputlookup ioc.csv |rename ioc as query|fields query]

The problem I am having is returning a count for the matches, since some matches fall under different fields. For example, if the search listed above returns a total of 3 events, 2 domain matches, and 1 hash match if did the following:

   index=* sourcetype=* [|inputlookup ioc.csv |rename ioc as query|fields query]|stats count by domain

The domain matches will return with the count, but not the hash results. How would go about performing a count on all matches that are returned?

Thanks in Advance!

sundareshr · ‎12-03-2015

Try

|inputlookup ioc.csv |stats count by  ioc

ehaile039 · ‎12-03-2015

That will only read the csv file into Splunk and provide the count. I want to search my indexed data for any maches on the csv file and return the ioc and count.

sundareshr · ‎12-03-2015

What does ioc map to in your indexed data? Is it query? What's domain? Have you tried

index=* sourcetype=* [|inputlookup ioc.csv |rename ioc as query|fields query]|stats count by query

Can you provide details on your indexed data you want to include in your search?

How to search a CSV lookup table and return matches with a count?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms