Hi my friend, thanks again for your help.
I tried your suggestion, but back slashes appears as new url value if I print the results, something like this "https:\example[.]com".
In order to be sure that there is a match between both url values (event url and url in lookup db) I performed and eval
my search | eval url=case(service=="HTTP","http:\/\/".url,service=="HTTPS","https:\/\/".url)
| eval url=replace(url,"/","") | lookup threat_source url_threat as url | eval url_state = if(url_threat==url,"MATCH","NO MATCH") | table _time,src,dest,url,url_state
Unfortunately, I get "no match" for the final table.
... View more