I am using the following to extract two fields at search time, extract_domain and extract_ip
source="dns2.log"
| rex "((?<extract_domain>(\w+(\(\d\))){1,}?)$)"
| rex mode=sed field=extract_domain "s/(\\(\\d\\))/./g"
| rex "(?<extract_ip>\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b)"
| rex mode=sed field=extract_domain "s/.$//"
I would like to lookup the extract_domain field against a .csv file which looks something like this
domain, status
splunk.com, good
facebook.com,bad
google.com, good
hi5.com, bad
I want to report on all domains with a status of bad.
I've followed the example for using lookup tables but it isnt working out.
Please help
... View more