Knowledge Management

How can i use a lookup table for a partial match against an index?

dusoldkai
New Member

What i wanted to do is a simple search in our Proxy logs to find accesses to known bad Domain names. Currently we do not have the threatintelligence-app installed.

I created a lookup table that only consists of one column called murl containing domain names hosting malicious sites.

| inputlookup table.csv produces a simple list

covidcyphers.com
covid19sci.com
suite401-covid19.com
covid-taskforce.com
titan-covid19.online

if i use that as a lookup in a search i do not get Matches, also when i use Domains included in the log.

index="proxy" | eval murl=url | lookup table.csv murl AS url OUTPUTNEW murl AS new| where dst like new
(i tryed also "%new%" and Things alike)

I then tryed to use inputlookup in a subsearch instead:

index="proxy" url !="" [inputlookup table.csv where url in(murl) ]

and it told me that the in function Needs a list of strings concatenated by commatas strin1,string2,string4

so i experimented with the Format/return (1000 $murl) commands

index="proxy" where url IN([inputlookup table.csv| fields murl| format "" "" "," "" "" ""])

but did not reach my Goal …

Is there a way to change the inputlookup result into a comma separated list to be used in the IN-function ?
Or does anybody have a search command that can do a partial match by a list of values provided by a lookup table ?

Thank you very much

Kai

Labels (1)
0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Try this:

index="proxy" [ | inputlookup table.csv | eval url="*".murl."*" | fields url | format]

View solution in original post

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Try this:

index="proxy" [ | inputlookup table.csv | eval url="*".murl."*" | fields url | format]
0 Karma

dusoldkai
New Member

Thank you very much ! I thought it must be very easy 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...