Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search a CSV lookup table and return matches with a count?

ehaile039
Engager
‎12-03-2015 07:59 AM

Hi Splunkers,

I have a CSV file that contains several different IOCs, such as domains, hashes, ip addresses, and email addresses. I would like to perform a search and return all matches with a count.

file name:ioc.csv
column field :ioc
Example of CSV file:
ioc
badstuff.com
45CD661D53DFC80A0A5A7927F9EE313L

I am able to get the search to work and return the events with the following query:

 index=* sourcetype=* [|inputlookup ioc.csv |rename ioc as query|fields query]

The problem I am having is returning a count for the matches, since some matches fall under different fields. For example, if the search listed above returns a total of 3 events, 2 domain matches, and 1 hash match if did the following:

   index=* sourcetype=* [|inputlookup ioc.csv |rename ioc as query|fields query]|stats count by domain

The domain matches will return with the count, but not the hash results. How would go about performing a count on all matches that are returned?

Thanks in Advance!

Reply

sundareshr
Legend
‎12-03-2015 08:27 AM

Try

|inputlookup ioc.csv |stats count by  ioc
0 Karma
Reply

ehaile039
Engager
‎12-03-2015 10:36 AM

That will only read the csv file into Splunk and provide the count. I want to search my indexed data for any maches on the csv file and return the ioc and count.

0 Karma
Reply

sundareshr
Legend
‎12-03-2015 11:52 AM

What does ioc map to in your indexed data? Is it query? What's domain? Have you tried 

index=* sourcetype=* [|inputlookup ioc.csv |rename ioc as query|fields query]|stats count by query

Can you provide details on your indexed data you want to include in your search?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...