I have a lookup file named mylookup. The lookup is a csv with the following information:
SearchString, Reported_by, Description domain.com, joe, malware hosting domain bad.domain.com, steve, CnC server anotherdomain.com/badpath, bill, crypto 10.10.10.10, john, suspected bad link host
What I would like to do is search proxy logs to match when the SearchString field in the lookup is found in the url field.
I know that
sourcetype=proxy | lookup mylookup SearchString as url OUTPUT Desription as URL_info | search URL_info=* | table user, url, URL_info
will return results that have an exact match of the SearchString and url.
This will miss the following urls:
10.10.10.10/somepath www.domain.com bad.domain.com:80
I would like to catch the three examples above that are not found by matching the SearchString and url.
Is this possible?
Is lookup vs. inputlookup the most appropriate method?
Thank you all in advance.
A lookup table will only provide an exact match to a field but what you want is a wildcard on the values in your lookup table. This can be done through a few steps:
1. create lookup table with wildcard entries
*baddomain.com* 10.10.10.10* *domain.com*
2. Upload file to splunk as test_lookup.csv
3. Create lookup definition (
4. Create transforms.conf entry
[test_lookup] filename = test_lookup.csv match_type=WILDCARD(SearchString)
5. Reload splunk
Now your lookup table will use wildcards.