Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking to see if a string is present in another search

wweiland
Contributor
‎10-12-2015 12:06 PM

I'm looking through DNS logs in one index. They are normal DNS logs, so they have the normal query containing the host+domain. I have threat data which just has the domain in another index. 

index=main sourcetype=dns 
| map search="index=sec u_type=domain u_status=Active earliest=0 latest=now u_indicator=$domain$"

above is what i've come up with so far, but it doesn't seem to work. Am I looking at this wrong? I want to make sure that if the domain in the threat data exist at all in the dns domain data, then I get a alert.

Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-12-2015 12:56 PM

If the number of threat domains is manageable, you can do something like this:

index=main sourcetype=dns [search index=sec u_type=domain u_status=Active earliest=0 latest=now | dedup u_indicator | fields u_indicator | rename u_indicator as domain]

If the number is larger, consider moving it to a lookup.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎10-12-2015 01:00 PM

When you are using map, it is better to have a deduplicated list of the values you want to map.

For example:

index=main sourcetype=dns
| dedup domain
| table domain
| map search="index=sec u_type=domain u_status=Active earliest=0 latest=now u_indicator=$domain$"

Another way you could do it would be using the set command:

| set intersect
[ index=main sourcetype=dns | fields - _* | fields domain]
[ index=sec u_type=domain u_status=Active | fields - _* | fields u_indicator]

Which I personally find a little clearer.

Please remember - subsearches have limits - please look at sideview's answer here for an example of using lookups.

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-12-2015 12:56 PM

If the number of threat domains is manageable, you can do something like this:

index=main sourcetype=dns [search index=sec u_type=domain u_status=Active earliest=0 latest=now | dedup u_indicator | fields u_indicator | rename u_indicator as domain]

If the number is larger, consider moving it to a lookup.

0 Karma
Reply
Solved! Jump to solution

wweiland
Contributor
‎10-12-2015 01:39 PM

Would this only trigger if the domain exactly matches the u_indicator?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-12-2015 01:48 PM

Yes, so would your map search.

0 Karma
Reply
Solved! Jump to solution

wweiland
Contributor
‎10-12-2015 01:53 PM

Can you think of a way I can write it so that if u_indicator is in any part of domain it would trigger? I was trying to think of how to use the if(match) but I can't seem to come up with the way.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-12-2015 02:35 PM

Yeah, but it might be very slow:

index=main sourcetype=dns [search index=sec u_type=domain u_status=Active earliest=0 latest=now | dedup u_indicator | fields u_indicator | rename u_indicator as domain | eval domain = "*".domain."*"]
0 Karma
Reply
Solved! Jump to solution

wweiland
Contributor
‎10-14-2015 08:27 AM

It also occurred to me that I could output the threat data to outputcsv and then do the same query against inputcsv? Can I still do the eval if I do that?

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎10-14-2015 06:59 PM

evals are interpreted before lookups, but if they are in separate queries, should be no problem.

0 Karma
Reply
Solved! Jump to solution

wweiland
Contributor
‎10-15-2015 09:18 AM

So the query works as written, but I ran into the problem that you suspected I would have. Trying to compare 50k threat domains to each record with a wildcard is taking 8 mins for a 15 min period. The only way I can think to resolve the problem would be to use a custom search command and drop it to python with dictionaries. Problem is, I don't control the Splunk back-end and can't add custom commands easily. Any suggestions on what I could do within native Splunk? Would lookup tables be faster than inputcsv?

0 Karma
Reply
Solved! Jump to solution

wweiland
Contributor
‎10-12-2015 02:51 PM

Thank you kind sir. That works like a charm.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-12-2015 02:36 PM

With the lookup-based approach, you can set the lookup to match using wildcards and include those asterisks in the lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...