- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Values from inputlookup file not captured in s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Values from inputlookup file not captured in syslog
Hello All,
I wrote below query to get the URLs from inputlookup file that is not captured in syslog.But didnt give me any results.Can someone please help me to find out the issue with below query.
- |inputlookup URLs.csv | fields Domains| rename Domains as domain | join domain[search index=* sourcetype=syslog eventtype=DNS host="device1" OR host="device2" | where domain=""] | table domain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest you move your search strings around such that your inputlookup is the one inside your join search:
index=* sourcetype=syslog eventtype=DNS host="device1" OR host="device2"
| where domain=""
| join domain
[| inputlookup URLs.csv
| fields Domains
| rename Domains as domain
]
| table domain
In your example (and in mine as I tried to keep it the same as yours), you are searching for an empty domain field, but are also joining on the same domain field. This seems like it would cause an issue with your join.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@micahkemp
Thank you so much for your input.I ran the query u have provided.But no results found.
please Correct me if i am wrong.the query you have given,will take each domain from lookupfile and search it in syslog. And if the URL not found in syslog,then it will list in table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure that the search I pasted actually accomplishes anything of value, because I don't really understand your use case. Can you explain more about what it is you are looking for in terms of searching and how the CSV could be used?
What I have above looks like it would end up performing basic lookup capabilities, which would be better accomplished by using the lookup command with the csv in question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually i have few URLs in inputlookup file.i want each URL from lookup file to be searched in syslog.And whichever URLs are not found in syslog,should be showed in a table..
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
