- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Match all possible matches to lookuplist
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=proxy domain=*
| rename domain as emotet_domain
| where
[| inputlookup test
| fields emotet_domain]
| stats values(emotet_domain) as emotetDomain
so inside the lookup list i want to be able to match for example a threat of -- reason.com OR www.reason.com
i added the matchtype option of WILDCARD(emotet_domain) AND I have also tried WILDCARD(domain) I am not sure whihc one will help wildcard it, but as of right now it is NOT working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that your lookup has domain values like reason.com, all you need to do is this and then it should work:
inputlookup test
| eval emotet_domain = "*." . emotet_domain
| outputlookup test
Then use it like this:
index=proxy domain=*
| lookup test emotet_domain AS domain OUTPUT emotet_domain AS MATCHED
| where isnotnull(MATCHED)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this would def help in the future, unfortunately what was below will help even better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=proxy domain=* [| inputlookup test | stats values(emotet_domain) as query |format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, what this is doing is it is searching all the events that happened and that it matches. I need to match the latest event so it only triggers an alert.
I also need to add more to it as well such as
index=proxy domain=* OR index=network* src_ip=* dest_ip=*
[| inputlookup test
| stats values(emotet_domain) as query, values(emotet_ip) as IP
|format]
| lookup test emotet_domain as domain OUTPUT emotet_domain
| lookup test emotet_ip as dest_ip OUTPUT emotet_ip
| lookup test emotet_ip as src_ip OUTPUT emotet_ip
will this work??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see what you want.
Let's ask another question.
at the time, please provide Csv sample and setting.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
