I'm trying to use wildcards in a lookup file and am not able to get them working. I have referenced other posted answers but am not having success. Steps I have taken:
Created a lookup file called 'dt_s.csv' using the web interface by uploading the following content:
Created a lookup definition called 'dt' using the web interface, based off dt_s.csv
Our administrator added the below to transforms.conf on the indexers
filename = dts.csv
matchtype = WILDCARD(cs_host)
What are we doing wrong? Is there any other step-by-step official documentation on how to set this up? Thank you.
Answer in comments below: In a pre v6.6 deployment with indexers separate from search head, the [dt] section above has to be added to the local transforms.conf on indexers AND the search head.
Including the props.conf changes? I was under the impression props.conf should only be necessary if we want the lookup to be automatic, which I definitely do NOT in this case.
I don't understand. You only made the props.conf changes and not the transforms.conf changes?
Can you share your lookup name and the what you put in props.conf as an example?
to clarify we done it with transforms.conf and props.conf as we used automatic lookups and did not tested it with transforms.conf only. So our configs was same as in example:
LOOKUP-user = userlookup user OUTPUT username
filename = userlookup.csv
match_type = WILDCARD(user)
I tested this and got successful results with
| head 1
| eval cshost="www.foo.com"
| lookup dt cshost | fields cshost, issuspicious
2 things to consider:
1) Look at app context and permissions on the lookup knowledge objects. I doubt this is your issue since it works for the google domain.
2) I was able to do this all from the GUI without having to edit my transforms manually by configuring "advanced" options under the lookup definition, and using WILDCARD(cs_host) as my match type.
I made the change in the advanced options, adding WILDCARD(process), and then ran the following search where I'm trying to match on executables other than the two paths, but I'm seeing all process file names and not just defrag.exe that I copied to the desktop and executed.
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\\System32 Image!=Windows\\SysWOW64 | eval process=lower(process) | lookup isWindowsSystemFile_lookup process | search systemFile=true | table _time dest host user process Image