I am currently matching a list of "bad ips" with a search such as this
index=someindex NOT uri="/dot_clear.gif" [| inputlookup watchlist_ip_lookup.csv | rename watch_ip as clientip | fields + clientip] | dedup clientip | lookup ga ip as clientip | table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other
how can i do a similar search with a partial text match in say the URI, say from sourcetype access_combined searching on a partial domain match like .*somedomain.com.*
?
I would like to use these domain strings in a inputlookup table like the ip list i attached above
possibly with a rex match on the uri? i am just not getting the format right.
Thanks.
If it's just a matter of using wildcards, you can let the regular search command take care of that.
index=someindex NOT [|inputlookup yourlookup | eval query="uri=*".domain."*" | fields query] | ...
If it's just a matter of using wildcards, you can let the regular search command take care of that.
index=someindex NOT [|inputlookup yourlookup | eval query="uri=*".domain."*" | fields query] | ...
Ayn, another follow up question 🙂
If i wanted to match on a string anywhere in the _raw events, But seems rather slow on large indexes.
Perhaps there is a better way.
index=www NOT uri="/dot_clear.gif" [|inputlookup watchlist_string_lookup | eval query="_raw=".watch_string."" | fields query] | lookup ga ip as clientip | table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other, watch_string
Thanks Ayn, i changed domain to my "watch_list" header in the csv and that works for me 🙂
Edit:
actually i removed the NOT too, this and it seems to work
index=someindex NOT uri="/dot_clear.gif" earliest=-1h [|inputlookup watchlist_string_lookup | eval query="uri=".watch_string."" | fields query] | lookup ga ip as clientip | table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other