Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use 「inputlookup」fliter duplicate domains (BIND dns query log)

Sunjux
Explorer
‎07-30-2020 12:56 AM

hello ervery:

Scenario:

In my case,I use daily search create DnsQueryLog.csv,record the domains inquired every day in this *csv file(Not repeating),And I hope to find a new query domain by comparing these domains every day.

Problem:

Now I have DnsQueryLog.csv  contains 8,038 domains ,and I confirmed that data can be displayed using  the following command:

| inputlookup DnsQueryLog.csv

And I use the following command wnat find some new query domain today,

sourcetype="isc:bind:query" 
| stats count(query) by query
| sort - count 
| fields query
| search NOT 
    [| inputlookup DnsQueryLog.csv]

But it's not work,In this test, the number of domains queried today is equal to the data in the csv file, which is also 8,038 , My understanding is that if it runs correctly, the number of search data should be 「0」,But it shows 8038 records, which confuses me .Can someone help me confirm which part I am doing wrong?

p.s

  • I have confirmed that the domain name in the csv file is the same as the query result.(8,038)
  • The csv field name is the same as the output field of the query result.

Sincere thanks

Labels (3)
Labels
0 Karma
Reply

rnowitzki
Builder
‎07-30-2020 02:54 AM

Hi @Sunjux ,

I made some tests and my assumption is that it does not work as you expect due to additional fields (other than "query") in your csv. Is that the case - do you have more fields in that csv?

So, you might want to try: 

sourcetype="isc:bind:query" 
| stats count(query) by query
| sort - count 
| fields query
| search NOT 
    [| inputlookup DnsQueryLog.csv | fields query]

 

Hope it helps
BR
Ralph

--
Karma and/or Solution Tagging appreciated.

--
Karma and/or Solution tagging appreciated.
Reply

Sunjux
Explorer
‎07-30-2020 03:14 AM

hi @rnowitzki :

Only one field in this *.csv,

messageImage_1596103599371.jpg

 

And I tried the following search, but it didn’t work

sourcetype="isc:bind:query" 
| stats count(query) by query
| sort - count 
| fields query
| search NOT 
    [| inputlookup DnsQueryLog.csv | fields query]

 I appreciate your reply, thanks!

 

0 Karma
Reply

rnowitzki
Builder
‎07-30-2020 03:36 AM

Hi @Sunjux ,

Interesting.

Maybe there is something different to the query fields. Could be data type e.g.

Try this to confirm:

 

sourcetype="isc:bind:query" 
| stats count(query) by query
| sort - count 
| fields query
| appendcols
[| inputlookup DnsQueryLog.csv | rename query as csv_query]
| eval compare=if(query==csv_query, "equal", "not_equal")
| eval type_of_query=typeof(query)
| eval type_of_csv_query=typeof(csv_query)

 


It should show equal in the "compare" field, if the fields are really equal, looking at content and type.
In type_of_query/type_of_csv_query it will show probably string in both cases...but just make sure it is the same.

If that does not solve the riddle, can you maybe show one/some examples of "query" in that case? You could change some characters to anonymize the data.

BR
Ralph


--
Karma and/or Solution tagging appreciated.
Reply

Sunjux
Explorer
‎08-02-2020 08:13 PM

Hi, @rnowitzki 

I tried the search syntax you provided,and the results are shown below :

messageImage_1596423640365.jpg

I think the cause of the problem is that 「type_of_csv_query」 shows 「invalid」,

These csv files were uploaded using Lookup Editor after saving a new file through search syntax. Is this caused by this?

Thank you for your assistance, I think my question is getting clearer.

Thanks again.

0 Karma
Reply

rnowitzki
Builder
‎08-04-2020 01:06 AM

Hi @Sunjux ,

Ugh, that is strange, I don't know what kind of data would result in "invalid" for the typeof() function.

Is there no visible difference between query and csv_query? Maybe one of them in quotes and the other not or something like that?

What you could try is to transform both of them to string. But I am not sure if it works with the csv_query in that case.

See if the "confirmation" SPL works like that:

sourcetype="isc:bind:query" 
| stats count(query) by query
| sort - count 
| fields query
| eval query=tostring(query)
| appendcols
[| inputlookup DnsQueryLog.csv | eval query=tostring(query) | rename query as csv_query]
| eval compare=if(query==csv_query, "equal", "not_equal")
| eval type_of_query=typeof(query)
| eval type_of_csv_query=typeof(csv_query)


If that works, you might want to try the initial SPL again like this:

sourcetype="isc:bind:query" 
| stats count(query) by query
| sort - count 
| fields query
| eval query=tostring(query)
| search NOT 
    [| inputlookup DnsQueryLog.csv | eval query=tostring(query) | fields query]




--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...