Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for values in a lookup table with wildcard

DEAD_BEEF
Builder
‎12-06-2017 08:07 PM

My lookup table is a simple list of malicious domains. How can I do a search such that I can search for the malicious domain* instead of just an exact match for the malicious domain in my firewall logs?

Lookup table

badsite.com
malware.com

I want it to match against

theother.badsite.com/
microsoft.malware.com/download.exe

Current Query

index=web [|inputlookup badboylist.csv | fields uri] | stats count by uri
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-06-2017 09:09 PM

Hi @DEAD_BEEF,

Please follow below steps.

1.) Create lookup with wildcard, for example 

       Domain
    *badsite.com*
    *malware.com*

2.) Upload lookup file into splunk for example lookup filename is test.csv
3.) Create lookup definition , for example I have given definition name as test_lookup for test.csv file
4.) Create transforms.conf with below configuration

       [test_lookup]
    filename = test.csv
    match_type=WILDCARD(Domain)

5.) Reload splunk using https://<SH:8000>/debug/refresh or restart splunk.
6.) I have tried with below sample query and it works fine, in below first 5 lines are used to generate dummy data.

       | makeresults
    | eval Domain="badsite.com"
    | append [ | makeresults | eval Domain="theother.badsite.com/"]
    | append [ | makeresults | eval Domain="xyz.com"]
    | append [ | makeresults | eval Domain="microsoft.malware.com/download.exe"]
    | lookup test_lookup Domain AS Domain OUTPUT Domain AS Domain_lookup

Please find below screenshot with output for above query.
alt text

7.) Query which is provided in point 6 gives you matching and non-matching Domain but if you want to filter out only matching domain name then sample query will be

       | makeresults
    | eval Domain="badsite.com"
    | append [ | makeresults | eval Domain="theother.badsite.com/"]
    | append [ | makeresults | eval Domain="xyz.com"]
    | append [ | makeresults | eval Domain="microsoft.malware.com/download.exe"]
    | lookup test_lookup Domain AS Domain OUTPUT Domain AS Domain_lookup
    | where isnotnull(Domain_lookup)

I hope this helps.

Thanks,
Harshil

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎12-06-2017 09:21 PM

@DEAD_BEEF, this question has been asked several times in past. Look at the post below:

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-06-2017 09:09 PM

Hi @DEAD_BEEF,

Please follow below steps.

1.) Create lookup with wildcard, for example 

       Domain
    *badsite.com*
    *malware.com*

2.) Upload lookup file into splunk for example lookup filename is test.csv
3.) Create lookup definition , for example I have given definition name as test_lookup for test.csv file
4.) Create transforms.conf with below configuration

       [test_lookup]
    filename = test.csv
    match_type=WILDCARD(Domain)

5.) Reload splunk using https://<SH:8000>/debug/refresh or restart splunk.
6.) I have tried with below sample query and it works fine, in below first 5 lines are used to generate dummy data.

       | makeresults
    | eval Domain="badsite.com"
    | append [ | makeresults | eval Domain="theother.badsite.com/"]
    | append [ | makeresults | eval Domain="xyz.com"]
    | append [ | makeresults | eval Domain="microsoft.malware.com/download.exe"]
    | lookup test_lookup Domain AS Domain OUTPUT Domain AS Domain_lookup

Please find below screenshot with output for above query.
alt text

7.) Query which is provided in point 6 gives you matching and non-matching Domain but if you want to filter out only matching domain name then sample query will be

       | makeresults
    | eval Domain="badsite.com"
    | append [ | makeresults | eval Domain="theother.badsite.com/"]
    | append [ | makeresults | eval Domain="xyz.com"]
    | append [ | makeresults | eval Domain="microsoft.malware.com/download.exe"]
    | lookup test_lookup Domain AS Domain OUTPUT Domain AS Domain_lookup
    | where isnotnull(Domain_lookup)

I hope this helps.

Thanks,
Harshil

Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎12-07-2017 05:16 AM

This is awesome! Interesting that it requires editing in transforms.conf but nothing in props.conf. Let me test this out with my data just to confirm before accepting.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-07-2017 05:25 AM

You might see that when you complete point 3, transforms.conf stanza will be created but you need to add one line match_type=WILDCARD(Domain)

Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-20-2017 03:14 AM

Hi @DEAD_BEEF,

Answer provided by me worked for you? If yes then please accept and upvote it.

Thanks,
Harshil

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top