 
					
				
		
Hi ,
my goal is to detect if there is any matches with my custom Domain_IOC.csv list and display additional column for the note.
Domain_IOC.csv list includes two columns
Domain and ioc_note (example picture attached of lookup table)
I want the output to be if there was matches with domain is to include the ioc_note column as well.
Current Query I have (Which provides me the matches with domain but doesn't include ioc_note column)
index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv |fields Domain]
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| stats values(Domain) as IOC by Date,host,Account,IP,Action
For your kind support.
 index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv | fields Domain]
 | stats count by _time, Domain, Action, Category
 | inputlookup append=t Domain_IOC.csv
 | eval Domain=trim(Domain,".")
 | eval Domain=trim(Domain,"*")
 | sefljoin Domain
 | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
 | fields - _time
Hi folks
Domain in search has extra .(dot) and Domain in lookup has extra *(astarisk).
These can't match by lookup.
 
					
				
		
Nice find I didn’t notice extra dot and wildcard in lookup. However you can do wildcard lookup and it is possible have a look at my answer https://answers.splunk.com/answers/596835/how-to-search-for-values-in-a-lookup-table-with-wi.html
 
					
				
		
Hi,
Please try below seaarch
index=dns sourcetype="dnslog"
| stats values(Domain) as Domain by _time,host,Account,IP,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
 
					
				
		
Hi Hars,
unfortunately it didn't work, no events showed.
Would you please advice?
 
					
				
		
If you run below query, are you getting any result ?
index=dns sourcetype="dnslog"
 | stats values(Domain) as Domain by _time,host,Account,IP,Action
 
					
				
		
Hi,
No results based on your query
to verify that i'm receiving the events in the screenshot below

 
					
				
		
Try below query
index=dns sourcetype="dnslog"
| stats count by _time,Domain,host,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
