Splunk Search

Is using inputlookup or lookup commands the best way to capture missing URLs from my search?

Path Finder

I have a lookup file named mylookup. The lookup is a csv with the following information:

SearchString, Reported_by, Description
domain.com, joe, malware hosting domain
bad.domain.com, steve, CnC server
anotherdomain.com/badpath, bill, crypto
10.10.10.10, john, suspected bad link host

What I would like to do is search proxy logs to match when the SearchString field in the lookup is found in the url field.

I know that

sourcetype=proxy  | lookup mylookup SearchString as url OUTPUT Desription as URL_info | search URL_info=* | table user, url, URL_info

will return results that have an exact match of the SearchString and url.

This will miss the following urls:

10.10.10.10/somepath
www.domain.com
bad.domain.com:80

I would like to catch the three examples above that are not found by matching the SearchString and url.

Is this possible?
Is lookup vs. inputlookup the most appropriate method?

Thank you all in advance.

0 Karma

Builder

A lookup table will only provide an exact match to a field but what you want is a wildcard on the values in your lookup table. This can be done through a few steps:

1. create lookup table with wildcard entries

*baddomain.com*
10.10.10.10*
*domain.com*

2. Upload file to splunk as test_lookup.csv
3. Create lookup definition ( test_lookup for test_lookup.csv)
4. Create transforms.conf entry

[test_lookup]
 filename = test_lookup.csv
 match_type=WILDCARD(SearchString)

5. Reload splunk

Now your lookup table will use wildcards.

0 Karma

Path Finder

I came across this post for a similar case to yours...take a look.
link text

0 Karma

New Member

I'm a Splunk noob, but wouldn't putting asterisks before and after your SearchString values work?

0 Karma

Path Finder

After review I think I agree. Since I'm new I wanted to check and see if anyone had any idea's.

0 Karma

Legend

I don't believe either will catch-all unless there is an exact match.

0 Karma