Splunk Search

Is using inputlookup or lookup commands the best way to capture missing URLs from my search?

Path Finder

I have a lookup file named mylookup. The lookup is a csv with the following information:

SearchString, Reported_by, Description
domain.com, joe, malware hosting domain
bad.domain.com, steve, CnC server
anotherdomain.com/badpath, bill, crypto, john, suspected bad link host

What I would like to do is search proxy logs to match when the SearchString field in the lookup is found in the url field.

I know that

sourcetype=proxy  | lookup mylookup SearchString as url OUTPUT Desription as URL_info | search URL_info=* | table user, url, URL_info

will return results that have an exact match of the SearchString and url.

This will miss the following urls:

I would like to catch the three examples above that are not found by matching the SearchString and url.

Is this possible?
Is lookup vs. inputlookup the most appropriate method?

Thank you all in advance.

0 Karma


A lookup table will only provide an exact match to a field but what you want is a wildcard on the values in your lookup table. This can be done through a few steps:

1. create lookup table with wildcard entries


2. Upload file to splunk as test_lookup.csv
3. Create lookup definition ( test_lookup for test_lookup.csv)
4. Create transforms.conf entry

 filename = test_lookup.csv

5. Reload splunk

Now your lookup table will use wildcards.

0 Karma

Path Finder

I came across this post for a similar case to yours...take a look.
link text

0 Karma

New Member

I'm a Splunk noob, but wouldn't putting asterisks before and after your SearchString values work?

0 Karma

Path Finder

After review I think I agree. Since I'm new I wanted to check and see if anyone had any idea's.

0 Karma


I don't believe either will catch-all unless there is an exact match.

0 Karma