Hello All,
I have a quick question about comparison fields from a lookup table. Just imagine that I have a query like this.
index=linux [|inputlookup suspicious_commands.csv where command | fields command ] Basically I have a lookup table that includes some Linux commands and I want to compare it with command fields from the origin log source.
Question is that I want to run the "contains" function on the original command fields from lookup.
Let say lookup has a command like: "rm -rf" but the log itself is "/usr/bin/rm -rf." in the command field Can I do this search based on contains instead of the exact match?
You can always prefix and tail command with *, i.e.
[|inputlookup suspicious_commands.csv where command | eval command="*".command."*" | fields command ]
The alternative is to make a lookup definition and define command as
WILDCARD(command)
and put the * characters in your lookup file and then rather than using the subsearch, use the lookup command
yoursearch...
| lookup suspicious_commands command OUTPUT command as found
| where isnotnull(found)
and suspicious_commands is the lookup definition you have made based on your lookup file.
You can always prefix and tail command with *, i.e.
[|inputlookup suspicious_commands.csv where command | eval command="*".command."*" | fields command ]
The alternative is to make a lookup definition and define command as
WILDCARD(command)
and put the * characters in your lookup file and then rather than using the subsearch, use the lookup command
yoursearch...
| lookup suspicious_commands command OUTPUT command as found
| where isnotnull(found)
and suspicious_commands is the lookup definition you have made based on your lookup file.
so you should look into lookup definitions. You can try adding a "WILDCARD(FieldA)" in order to query off of likeliness. So you're lookup file would contain '*rm -rf*', and this would match your criteria.