Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

IOC Inputlookup

zayedaljaberi
Engager
‎05-01-2020 04:04 AM

Hi ,

my goal is to detect if there is any matches with my custom Domain_IOC.csv list and display additional column for the note.

Domain_IOC.csv list includes two columns
Domain and ioc_note (example picture attached of lookup table)alt text

I want the output to be if there was matches with domain is to include the ioc_note column as well.

Current Query I have (Which provides me the matches with domain but doesn't include ioc_note column)

index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv |fields Domain]
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| stats values(Domain) as IOC by Date,host,Account,IP,Action

For your kind support.

Tags (1)
Preview file
12 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎05-05-2020 09:10 AM 
 index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv | fields Domain]
 | stats count by _time, Domain, Action, Category
 | inputlookup append=t Domain_IOC.csv
 | eval Domain=trim(Domain,".")
 | eval Domain=trim(Domain,"*")
 | sefljoin Domain
 | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
 | fields - _time

Hi folks
Domain in search has extra .(dot) and Domain in lookup has extra *(astarisk).
These can't match by lookup.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-05-2020 09:46 AM

Nice find I didn’t notice extra dot and wildcard in lookup. However you can do wildcard lookup and it is possible have a look at my answer https://answers.splunk.com/answers/596835/how-to-search-for-values-in-a-lookup-table-with-wi.html

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-01-2020 05:05 AM

Hi,

Please try below seaarch

index=dns sourcetype="dnslog"
| stats values(Domain) as Domain by _time,host,Account,IP,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
0 Karma
Reply

zayedaljaberi
Engager
‎05-01-2020 09:42 AM

Hi Hars,

unfortunately it didn't work, no events showed.

Would you please advice?

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-04-2020 01:32 AM

If you run below query, are you getting any result ?

index=dns sourcetype="dnslog"
 | stats values(Domain) as Domain by _time,host,Account,IP,Action
0 Karma
Reply

zayedaljaberi
Engager
‎05-05-2020 06:24 AM

Hi,

No results based on your query

to verify that i'm receiving the events in the screenshot below
alt text

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-05-2020 07:05 AM

Try below query

index=dns sourcetype="dnslog"
| stats count by _time,Domain,host,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...