How to create an INPUTLOOKUP that matches field1 b...

mobrienmoore1 · ‎03-29-2018

Hello,
I am trying to perform a search against a lookup table that contains 2 columns (RDOMAIN and SDOMAIN). I would like the search to pull back all matching SDOMAINS and anything that does NOT match RDOMAIN.

elliotproebstel · ‎03-29-2018

I read your requirement: "I would like the search to pull back all matching SDOMAINS and anything that does NOT match RDOMAIN" two possible ways:
1. Return all events which match SDOMAINS and all events which do not match RODMAIN
2. Return all events which match SDOMAINS and which do not match RDOMAIN

For the first:

sourcetype=8*
| rex field=rcpt "\S+@(?<RDOMAIN>\S+)" 
| rex field=from "\S+@(?<SDOMAIN>\S+)"
| search 
 [| inputlookup "MMDomains.csv" 
 | fields SDOMAIN ]
OR NOT 
 [| inputlookup "MMDomains.csv" 
 | fields RDOMAIN ]

For the second:

sourcetype=8*
| rex field=rcpt "\S+@(?<RDOMAIN>\S+)" 
| rex field=from "\S+@(?<SDOMAIN>\S+)"
| search 
 [| inputlookup "MMDomains.csv" 
 | fields SDOMAIN ]
NOT 
 [| inputlookup "MMDomains.csv" 
 | fields RDOMAIN ]

How to create an INPUTLOOKUP that matches field1 but NOT field2?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!