- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Is using inputlookup or lookup commands the be...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is using inputlookup or lookup commands the best way to capture missing URLs from my search?
I have a lookup file named mylookup. The lookup is a csv with the following information:
SearchString, Reported_by, Description
domain.com, joe, malware hosting domain
bad.domain.com, steve, CnC server
anotherdomain.com/badpath, bill, crypto
10.10.10.10, john, suspected bad link host
What I would like to do is search proxy logs to match when the SearchString field in the lookup is found in the url field.
I know that
sourcetype=proxy | lookup mylookup SearchString as url OUTPUT Desription as URL_info | search URL_info=* | table user, url, URL_info
will return results that have an exact match of the SearchString and url.
This will miss the following urls:
10.10.10.10/somepath
www.domain.com
bad.domain.com:80
I would like to catch the three examples above that are not found by matching the SearchString and url.
Is this possible?
Is lookup vs. inputlookup the most appropriate method?
Thank you all in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A lookup table will only provide an exact match to a field but what you want is a wildcard on the values in your lookup table. This can be done through a few steps:
1. create lookup table with wildcard entries
*baddomain.com*
10.10.10.10*
*domain.com*
2. Upload file to splunk as test_lookup.csv
3. Create lookup definition ( test_lookup for test_lookup.csv)
4. Create transforms.conf entry
[test_lookup]
filename = test_lookup.csv
match_type=WILDCARD(SearchString)
5. Reload splunk
Now your lookup table will use wildcards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I came across this post for a similar case to yours...take a look.
link text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a Splunk noob, but wouldn't putting asterisks before and after your SearchString values work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After review I think I agree. Since I'm new I wanted to check and see if anyone had any idea's.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe either will catch-all unless there is an exact match.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
