Hello to4kawa

I have tried "where" already but didnt work.

I think the problem is that the query "url=web" happens within "[....]" and therefore is not aware that the web field/variable exists.

any ideas on how to overcome this?

You also mentioned that my SPL is too problematic, can you please elaborate?

 source="WinEventLog:Microsoft-Windows-Sysmon/Operational"  ParentImage:("DATA") Image:("DATA2" OR "DATA3") 
| rex field=ParentImage "^.*\d(?<website>.*)\.*"

At this point,
Please tell me some values ​​of website and url .

| makeresults
| eval url="www.Jon.com/name/dsd.html#www.John.com/name/dsd.html#www.Michael.com/name/dsdf.html#*Jon*#*Michael*"
| makemv delim="#" url
| mvexpand url
`comment("check table status")`
| join url [| makeresults
| eval _raw="pid,url,verdict,process
5654,www.Jon.com/name/dsd.html,Pass,first
5745,www.Michael.com/name/dsdf.html,Fail,first"
| multikv forceheader=1
    | table pid,url,verdict,process]

From this result, you can see that the current query does not work properly.

The values would be the following:

url = www.Jon.com/name/dsd.html

website = www.Jon.com

the "url" exists within the CSV file and the "website" is extracted from a sysmon event. So basically I want to check if the extracted value (website) exists in the CSV file under the url column and if it does to capture it.

 source="WinEventLog:Microsoft-Windows-Sysmon/Operational"  ParentImage:("DATA") Image:("DATA2" OR "DATA3") 
| rex field=ParentImage "^.*\d(?<website>.*)\.*" 
| join website [|inputlookup URLDatabase.csv 
| rex field=url "(?<website>[^/]+)"
| table website, url]
| fields User App Product url 
| bucket_time span=20m 
| stats values(*) as * by _time

How about it?

Hello to4kawa,

Unfortunately it didn't work 😕

Check the results line by line.
I can't see your situation.