Hello,
I am currently using a lookup table and definition to compare a list of IPs, Domains, URLs, etc. against certain fields in Splunk for matches. This query is used in a dashboard with multiple panels. Below is my query after lookup tables and definitions are established.
index="INDEX" [|inputlookup FILE.csv | return 50000 $indicator]| table action, src_ip, source, dst, destination, dst_ip, dstprt, filehash_md5, filehash_sha1, filehash_sha256, affectedFileHash | stats count
Sometimes I come across a URL that contains an equal sign '=' in it and it causes the query to not work with the following error.
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "http://IP/ies/api.cgi?act"=getConfig&id.
or
Error in 'search' command: Unable to parse the search: unbalance parenthesis.
Both seem to be tied to the same URLs that have equal signs in them and I am unable to find a solution or workaround for this. The lookup table is put together using Python PANDAS so I could always use some data wrangling if need be, but so far my attempts have failed.
I also noticed that using the search bar in splunk accepts the URL string if I use double ticks, versus single but as far as making that the standard output when using the inputlookup and the dashboards, I am not sure.
You are getting too fancy; try this:
index="INDEX" [|inputlookup FILE.csv | head 50000 | table indicator | format]
| stats count
It's not the equals sign that's tripping you up. It's the double quotes before the equals sign. Move the second pair of double quotes to the end of the URL.