hi, i a total newbie
i need to do a search in splunk matching the domain in my lookup table (master_lookup.csv)
my table have the columns
indicators, published_date , last_update, labels
my index is below
((index=bcoat_logs AND sourcetype=bluecoat:proxysg:access:file ) OR (index=nanolog_906062_zscaler AND sourcetype=zscalernss-web))
how do i have the output when it match the indicators
my desired output will include
_time, indicators, published_date , last_update, labels
indicators
((index=bcoat_logs AND sourcetype=bluecoat:proxysg:access:file ) OR (index=nanolog_906062_zscaler AND sourcetype=zscalernss-web))
| lookup master_lookup.csv indicators
| table _time, indicators, published_date , last_update, labels
the indicator is extract match?
connect.facebook.net is inside my csv file
will it be a able to search for facebook.net
It depends on your lookup definition - there are some advanced options available
What field or fields are you using from your index to lookup data in your lookup table?