Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IOC Inputlookup

zayedaljaberi
Engager
‎05-01-2020 04:04 AM

Hi ,

my goal is to detect if there is any matches with my custom Domain_IOC.csv list and display additional column for the note.

Domain_IOC.csv list includes two columns
Domain and ioc_note (example picture attached of lookup table)alt text

I want the output to be if there was matches with domain is to include the ioc_note column as well.

Current Query I have (Which provides me the matches with domain but doesn't include ioc_note column)

index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv |fields Domain]
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| stats values(Domain) as IOC by Date,host,Account,IP,Action

For your kind support.

Tags (1)
Preview file
12 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎05-05-2020 09:10 AM 
 index=dns sourcetype="dnslog" [|inputlookup Domain_IOC.csv | fields Domain]
 | stats count by _time, Domain, Action, Category
 | inputlookup append=t Domain_IOC.csv
 | eval Domain=trim(Domain,".")
 | eval Domain=trim(Domain,"*")
 | sefljoin Domain
 | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
 | fields - _time

Hi folks
Domain in search has extra .(dot) and Domain in lookup has extra *(astarisk).
These can't match by lookup.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-05-2020 09:46 AM

Nice find I didn’t notice extra dot and wildcard in lookup. However you can do wildcard lookup and it is possible have a look at my answer https://answers.splunk.com/answers/596835/how-to-search-for-values-in-a-lookup-table-with-wi.html

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-01-2020 05:05 AM

Hi,

Please try below seaarch

index=dns sourcetype="dnslog"
| stats values(Domain) as Domain by _time,host,Account,IP,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
0 Karma
Reply

zayedaljaberi
Engager
‎05-01-2020 09:42 AM

Hi Hars,

unfortunately it didn't work, no events showed.

Would you please advice?

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-04-2020 01:32 AM

If you run below query, are you getting any result ?

index=dns sourcetype="dnslog"
 | stats values(Domain) as Domain by _time,host,Account,IP,Action
0 Karma
Reply

zayedaljaberi
Engager
‎05-05-2020 06:24 AM

Hi,

No results based on your query

to verify that i'm receiving the events in the screenshot below
alt text

0 Karma
Reply

harsmarvania57
Ultra Champion
‎05-05-2020 07:05 AM

Try below query

index=dns sourcetype="dnslog"
| stats count by _time,Domain,host,Action
| lookup Domain_IOC.csv Domain as Domain OUTPUT ioc_note
| where isnotnull(ioc_note)
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") 
| fields - _time
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...