Splunk Search

How to search a proxy log index to get a list of URLs that match URL field in a lookup table?

pdumblet
Explorer

I have a proxy log index which contains a URL field.

I also have a lookup table, which contains a list of known bad URLs.

I would like to do a comparison to see if the indexed URL field has any values like those in the lookup table.

Example:

URL Field from Proxy Index:
url="http://www.somewebsite.com/cma-music-festival"

Lookup Table contains fields
category: Other
date: 2016-11-01T19:12:07+00:00
isbad: true

reference: http://www.phishtank.com/phish_detail.php?phish_id=4572548
url: http://somewebsite.com

How would I search the proxy log index to get a list of the URLs that match those in the Lookup Table url field?

Thanks.

0 Karma
1 Solution

pdumblet
Explorer

Actually I think I found it after testing.

eventtype=cisco_wsa_squid  [| inputlookup phishtank.csv | fields url]

This appears to work for what I am looking for.

View solution in original post

0 Karma

pdumblet
Explorer

Actually I think I found it after testing.

eventtype=cisco_wsa_squid  [| inputlookup phishtank.csv | fields url]

This appears to work for what I am looking for.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@pdumblet - If this has provided a working solution, please click "Accept" below your answer to resolve your post. Otherwise, feel free to leave it open for now if you're open to other possible suggestions. Thanks.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...