Splunk Search

Search exact string from inputlookup sub-search

qbolbk59
Path Finder

Hi,

I am trying to list all the events where a user has fired a DNS request to a specific domain mentioned in a lookup file. It's pretty easy to do this by simply adding the inputlookup sub-search in the query as shown below:

index=main  [|inputlookup Domains.csv | rename Domain as query |fields query ] | stats values(query) as queries by src 

But the problem with the query is that it's giving the results but with some False positive. For e.g., if there's an entry in the lookup file named as "abc.com" and the user did a DNS request to "dummyabc.com", the query is still giving me results. This means that the sub-search is not doing the exact string match of the DNS request fired with the actual entry in the lookup. Instead it's just checking if the lookup entry matched the DNS string.

Is there a way by which i can ensure that this query only give result when the DNS query fired and the entry in the lookup and exactly the same ??

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @qbolbk59,
if I correctly understood your question, when you use query field, you run a text search on the events and not on a specified field, so there could be other strings that match the strings from lookup.
Then you cannot use query field after the search.

So, if you want to search on a specified field, you cannot use query, but the specified field (e.g. "usi"), eventually adding jolly chars, something like this:

 index=main  [ | inputlookup Domains.csv | eval uri="*".Domain."*" | fields uri ] 
| stats values(uri) as uri by src 

Ciao.
Giuseppe

0 Karma

qbolbk59
Path Finder

Hi @gcusello ,

The field name in lookup is "Domain" and the field name in the actual events in the index is "query". Are you saying that the query then should be like below ?

index=main [ | inputlookup Domains.csv | eval Domain="".query."" | fields Domain ]

I tried this but it doesn't give any result to me. am i doing something wrong ?

0 Karma

mshkurnov
New Member

This query is works for me:
sourcetype="dnslogs" answer=* [| inputlookup listofsites.csv | eval query = "\"" . domain_name . "\"" | table query]

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @qbolbk59,
at first in the lookup the field name seems to be Domain, infact you renamed it in query.
Anyway the problem is that "query" is a special word and you cannot use it except when you want a text search (like you did).
In other words, in your search you filtered the main search results with a full text search using the content of the lookup Domain field.
In this way, you could have the strings of lookup also in other fields of your results and these could be false positives, for this reason I hint to use a field named search and not the full text search (using query).

Ciao and Happy New Year.
Giuseppe

0 Karma

to4kawa
Ultra Champion

HI, @qbolbk59
What is the field name and status of this search result?
What is the field with dummyabc.com?

0 Karma

qbolbk59
Path Finder

Hi @to4kawa ,

The field name in the indexed data is "query" and the field name in the lookup is "Domain". Hence in the subsearch i renamed the lookup field name same as the indexed data.

When i do the search, it also lists the events where the value of the lookup field partially matches with the value in the indexed data. Instead, i want them it to render results only when the values are exactly the same.

the field with dummyabc.com is the field in the indexed data with field name as "Domain"

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...