Splunk Search

contains on lookup table

korhanacar
Engager

Hello All,


I have a quick question about comparison fields from a lookup table.  Just imagine that I have a query like this.

index=linux [|inputlookup suspicious_commands.csv where command | fields command ]  Basically I have a lookup table that includes some Linux commands and I want to compare it with command fields from the origin log source. 

Question is that I want to run the "contains" function on the original command fields from lookup. 

 

Let say lookup has a command like: "rm -rf" but the log itself is "/usr/bin/rm -rf." in the command field  Can I do this search based on contains instead of the exact match? 

 

 

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

You can always prefix and tail command with *, i.e.

[|inputlookup suspicious_commands.csv where command | eval command="*".command."*" | fields command ]

The alternative is to make a lookup definition and define command as 

WILDCARD(command)

and put the * characters in your lookup file and then rather than using the subsearch, use the lookup command

yoursearch...
| lookup suspicious_commands command OUTPUT command as found
| where isnotnull(found)

and suspicious_commands is the lookup definition you have made based on your lookup file.

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can always prefix and tail command with *, i.e.

[|inputlookup suspicious_commands.csv where command | eval command="*".command."*" | fields command ]

The alternative is to make a lookup definition and define command as 

WILDCARD(command)

and put the * characters in your lookup file and then rather than using the subsearch, use the lookup command

yoursearch...
| lookup suspicious_commands command OUTPUT command as found
| where isnotnull(found)

and suspicious_commands is the lookup definition you have made based on your lookup file.

 

0 Karma

hoaxm3
Path Finder

so you should look into lookup definitions. You can try adding a "WILDCARD(FieldA)" in order to query off of likeliness. So you're lookup file would contain '*rm -rf*', and this would match your criteria.

- https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usefieldlookupstoaddinformationtoyoure...

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...