Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search using a list as input?

four
Engager
‎05-09-2012 10:34 AM

I have a list of domain names in an input file. I have a log source with a bunch of dns logs. I want to return any logs tha have even a partial match of the dns names.

So dns.txt has:

blah.com
lol.com
...

And my log source has a field called "hostname" that might be like "toad.blah.com". If blah.com from dns.txt matches as a substring in the hostname field, then I want to see that log in my result set.

Thanks!

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎05-09-2012 11:00 AM

I think this is similar to what you are trying to do and should help get you there. Your file would look like this with dns_name or whatever you call it as the header.

dns_name
blah.com
lol.com

http://splunk-base.splunk.com/answers/2457/inputlookup-against-a-list-of-bad-domains

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎05-09-2012 11:00 AM

I think this is similar to what you are trying to do and should help get you there. Your file would look like this with dns_name or whatever you call it as the header.

dns_name
blah.com
lol.com

http://splunk-base.splunk.com/answers/2457/inputlookup-against-a-list-of-bad-domains

Reply
Solved! Jump to solution

rgonzale6
Path Finder
‎05-09-2012 11:00 AM

You'd do something like this...

index=*whatever* [inputlookup dns.txt.csv | fields hostname | rename hostname as search]

Your .csv file has to be in a 'lookups' directory in either the parent or a child local directory - like /opt/splunk/etc/apps/search/lookups. (I've only used .csv files - not sure .txt would work)

In this case, dns.txt.csv is a single-column csv with hostname (being the column name, etc) as the first value and the domains to be searched as the subsequent lines. The 'rename fields as search' means it'll return more than just 1:1 value matches - ex: blah.com will match when hostname=toad.blah.com and when hostname=blah.com instead of just the latter.

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...