Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

contains on lookup table

korhanacar
Engager
‎09-20-2021 03:43 AM

Hello All,


I have a quick question about comparison fields from a lookup table.  Just imagine that I have a query like this.

index=linux [|inputlookup suspicious_commands.csv where command | fields command ]  Basically I have a lookup table that includes some Linux commands and I want to compare it with command fields from the origin log source. 

Question is that I want to run the "contains" function on the original command fields from lookup. 

 

Let say lookup has a command like: "rm -rf" but the log itself is "/usr/bin/rm -rf." in the command field  Can I do this search based on contains instead of the exact match? 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-20-2021 03:33 PM

You can always prefix and tail command with *, i.e.

[|inputlookup suspicious_commands.csv where command | eval command="*".command."*" | fields command ]

The alternative is to make a lookup definition and define command as 

WILDCARD(command)

and put the * characters in your lookup file and then rather than using the subsearch, use the lookup command

yoursearch...
| lookup suspicious_commands command OUTPUT command as found
| where isnotnull(found)

and suspicious_commands is the lookup definition you have made based on your lookup file.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-20-2021 03:33 PM

You can always prefix and tail command with *, i.e.

[|inputlookup suspicious_commands.csv where command | eval command="*".command."*" | fields command ]

The alternative is to make a lookup definition and define command as 

WILDCARD(command)

and put the * characters in your lookup file and then rather than using the subsearch, use the lookup command

yoursearch...
| lookup suspicious_commands command OUTPUT command as found
| where isnotnull(found)

and suspicious_commands is the lookup definition you have made based on your lookup file.

 

0 Karma
Reply
Solved! Jump to solution

hoaxm3
Path Finder
‎09-20-2021 03:04 PM

so you should look into lookup definitions. You can try adding a "WILDCARD(FieldA)" in order to query off of likeliness. So you're lookup file would contain '*rm -rf*', and this would match your criteria.

- https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usefieldlookupstoaddinformationtoyoure...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...