Splunk Search

How to search for events where someone visited a domain from a list in a static CSV file?

janiceb
Path Finder

Greetings All,

I am trying to use a static CSV file that contains bad domain indicators and search Splunk logs for any events where someone may have gone to that domain. The CSV file only contains one column with the heading of "Domain".

How can I accomplish this in Splunk? I read about the inputlookup command, but this appears to be a way to add fields from the CSV file to my Splunk events.
I am not looking to do this. I am just looking to have my results return any hits to those domains. I am using the WinDNS logs as my sourcetype and those logs also have a field in it called "Domain".

Thanks,

Janice

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this. If your logs have field Domain with exact same values as in Domain field in your lookup

index=foo sourcetype=WinDNS [| inputlookup yourdomainlookup.csv | table Domain ]

If your logs have field Domain with values as super set of Domain values in your lookup (logs has www.maps.google.com and lookup has just google.com), then try this

  index=foo sourcetype=WinDNS [| inputlookup yourdomainlookup.csv | table Domain | eval Domain="*".Domain."*"]

View solution in original post

alexandermunce
Communicator

One approach depending on how you would like to format your results would be to add another field to your CSV labelled "error" with all values being "true" perhaps and for any matches in the lookup OUTPUT a new field "error" with the value "true".

0 Karma

somesoni2
Revered Legend

Try like this. If your logs have field Domain with exact same values as in Domain field in your lookup

index=foo sourcetype=WinDNS [| inputlookup yourdomainlookup.csv | table Domain ]

If your logs have field Domain with values as super set of Domain values in your lookup (logs has www.maps.google.com and lookup has just google.com), then try this

  index=foo sourcetype=WinDNS [| inputlookup yourdomainlookup.csv | table Domain | eval Domain="*".Domain."*"]

janiceb
Path Finder

Thanks so much! This works great!

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...