Hello,
I am currently using a lookup table and definition to compare a list of IPs, Domains, URLs, etc. against certain fields in Splunk for matches. This query is used in a dashboard with multiple panels. Below is my query after lookup tables and definitions are established.
index="INDEX" [|inputlookup FILE.csv | return 50000 $indicator]| table action, src_ip, source, dst, destination, dst_ip, dstprt, filehash_md5, filehash_sha1, filehash_sha256, affectedFileHash | stats count
Sometimes I come across a URL that contains an equal sign '=' in it and it causes the query to not work with the following error.
Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side: "http://IP/ies/api.cgi?act"=getConfig&id.
or
Error in 'search' command: Unable to parse the search: unbalance parenthesis.
Both seem to be tied to the same URLs that have equal signs in them and I am unable to find a solution or workaround for this. The lookup table is put together using Python PANDAS so I could always use some data wrangling if need be, but so far my attempts have failed.
I also noticed that using the search bar in splunk accepts the URL string if I use double ticks, versus single but as far as making that the standard output when using the inputlookup and the dashboards, I am not sure.
... View more