Splunk Search

How to search with the value of field as a variable pattern to match other fields?

Log_wrangler
Builder

Hi
Here is an example of what I am after.

I am trying to search URL strings that contain a specific domain.tld as a matching pattern variable.

For example, I have a lookup with bad domains. One such domain is "malicious.com"

I want to find and match "malicious.com" if the string contains "cdn.malicious.com" OR if it contains san.cdn.malicious.com.edgekey.net" etc...

I am not sure what the best way to do this is. Tried Regex but did not figure out how to use the interesting domain.tld as a variable.

I hope that makes sense.

Thank you

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search i.e. index=foo sourcetype=bar  [| inputlookup baddomainlookup.csv | table domain | eval search="*".domain."*" | table search]

View solution in original post

0 Karma

somesoni2
Revered Legend

Give this a try

your base search i.e. index=foo sourcetype=bar  [| inputlookup baddomainlookup.csv | table domain | eval search="*".domain."*" | table search]
0 Karma

adamcoquim
Explorer

What if you would like to use the subsearch results to search against a specfic field in the base search?

Example: your base search i.e. index=foo sourcetype=bar URL=$search [| inputlookup baddomainlookup.csv | table domain | eval search="".domain."" | table search]

Would something like that work to reference the subsearch results?

0 Karma

somesoni2
Revered Legend

The subsearch shown below will return values of field domain as quoted string and add to base search as filter. This is because we're renaming it to special field name "search".

[| inputlookup baddomainlookup.csv | table domain | eval search="".domain."" | table search]

Resulting query

index=foo sourcetype=bar "Domain1" OR "Domain2" OR "Domain3"...

If you want to compare it with specific field name, then rename the field domain to that field name, instead of search, e.g.

 index=foo sourcetype=bar  [| inputlookup baddomainlookup.csv | table domain | rename domain as URL]
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...