Querying partial match from lookup

pjtbasu · ‎08-11-2021

Hi,

I've a lookup that looks like this -

clientid url

abc accounts/*/balance

abc accounts/*/name

xyz /user/*/details

And I've log like -

app endpoint responsecode

ms1 accounts/12345/balance 200

ms2 prod/accounts/98765/name 500

.

ms1 /user/randomuserid/details 403

I want to search with the uri field from lookup, which contains regex and additionally doesn't exactly match with the endpoint field of log (it's like this - *uri*==endpoint).

I am trying to get result like this -

app url clientid

ms1 accounts/*/balance abc

ms1 /user/*/details xyz

ms2 accounts/*/name abc

Is it doable via inputlookup? I've around 2500 rows in my lookup file.

ITWhisperer · ‎08-11-2021

Do your endpoints always end word/number/word? If so, you could extract the two words and combine them to make a string word/*/word and use that to lookup the clientid

pjtbasu · ‎08-11-2021

No they don't. Those are absolutely randomized 2000+ end points. I've previously tried to create regex value but then I've to tackle case by case, which won't be possible for 2000+ possible endpoints. So I had to abandon that.

That is the reason I created a lookup from a different source. Now in all cases *uri* == endpoint, but still not sure how to achieve that. I was trying match_type in lookup definition. But could not make it to work

Querying partial match from lookup

lookup

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?