Thank You that hint in combination with the link https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Usefieldlookupstoaddinformationtoyourevents worked !
i had to change also my lookup file to include wildcards in the corresponding columns.
*smith*,*john*, CEO of Some Inc
the working search is then
index="mail" sourcetype="emailserver" direction="incoming" | lookup namesDefinition.csv name as from prename as from OUTPUT comment | where isnotnull(comment)
... View more
Thank you for the hint with the lookup table. That sounds too good ! No nested subsearches would be very good. I adjusted my search
index="mail" sourcetype="emailserver" direction="incoming" | lookup names.csv name,prename OUTPUT comment | where isnotnull(comment)
But it does not match log entries. I guess that is because there are no wildcards in my lookup table. Can i ajust the search in a way to match a partial string ?
index="mail" sourcetype="emailserver" direction="incoming" | lookup names.csv ("*".name."*"),("*".prename."*") as from OUTPUT comment | where isnotnull(comment)
... View more
I would like to find occurences of Name and Prename in email logfiles and only report that ones that match both column of an inputlookup table.
an Event from the email Server contains Envelop-Sender(suser),Recipient(duser), Content-Sender(from) and some more fields that are not interesting for this task.
My inputlookup table names.csv looks like
smith,winston,added on 15.05.20
when using two subsearches in a regular search like the following
index="mail" sourcetype="mailserver" direction="incoming" [| inputlookup names.csv | eval from="*".name."*"| fields from| format] [| inputlookup names.csv| eval from="*".prename."*"| fields from| format] | fields suser,duser,from| format]
all Matches are displayed. Matches for "name" and for "prename".
I tryed to use the WHERE clause but the from field is not existing in the Input lookup table. i did not manage to find a regex that can search for both fields content (name and prename) in the same eval clause Independent of the location of the search Patterns in the target string.
Maybe if clauses can be used in nested form?
I tryed also some join like this
(index="mail" sourcetype="mailserver" direction"incoming" [| inputlookup names.csv | eval from="*".prename."*"| fields from| format] ) join type=inner from ([ search index="mail" sourcetype="mailserver" direction="incoming" [| inputlookup names.csv| eval from="*".name."*"| fields from| format]]) |table _time,suser,duser,from
But did not get any Matches, also the data do have from entries with both values (name,prename) in it.
The lookup-table names.csv was created to be case-insensitive.
Is there a way to join two Subsearches and get only the values that matched both searches ?
Or is there an easy way to use a eval clause on a single field that can search for two search Patterns at the same time ?
(Independent of Location of pattern in searchfield)
... View more
What i wanted to do is a simple search in our Proxy logs to find accesses to known bad Domain names. Currently we do not have the threatintelligence-app installed.
I created a lookup table that only consists of one column called murl containing domain names hosting malicious sites.
| inputlookup table.csv produces a simple list
covidcyphers.com covid19sci.com suite401-covid19.com covid-taskforce.com titan-covid19.online
if i use that as a lookup in a search i do not get Matches, also when i use Domains included in the log.
index="proxy" | eval murl=url | lookup table.csv murl AS url OUTPUTNEW murl AS new| where dst like new (i tryed also "%new%" and Things alike)
I then tryed to use inputlookup in a subsearch instead:
index="proxy" url !="" [inputlookup table.csv where url in(murl) ]
and it told me that the in function Needs a list of strings concatenated by commatas strin1,string2,string4
so i experimented with the Format/return (1000 $murl) commands
index="proxy" where url IN([inputlookup table.csv| fields murl| format "" "" "," "" "" ""])
but did not reach my Goal …
Is there a way to change the inputlookup result into a comma separated list to be used in the IN-function ? Or does anybody have a search command that can do a partial match by a list of values provided by a lookup table ?
Thank you very much
... View more