Re: Search _raw for values in a csv?

rbogner · ‎07-26-2016

I've confirmed that the following search works:

index=* sourcetype=proxy | eval domain="google" | where match(_raw,domain) | table _raw

but instead of defining domain on the command line, I'd like to pull values from a column called domain in the file ioc.csv that I uploaded.

Any ideas?

sundareshr · ‎07-26-2016

Try this

index=* sourcetype=proxy [ inputlookup mydomains | table domain | eval domain="*".domain."*" | rename domain AS search | format]

dshpritz · ‎07-26-2016

You can do this with a subsearch:

index=* sourcetype=proxy [ inputlookup mydomains | table domain | rename domain AS search | format]

If you specifically wanted to check the domain field for a match, you could use the following:

index=* sourcetype=proxy [ inputlookup mydomains | fields domain]

As long as the field name in the input matches the field name in the data (for example if you have a field in the lookup named "domain" and then the field in your proxy data is "domain" as well). If the field names do not match, you can use a rename command in the subsearch:

index=* sourcetype=proxy [ inputlookup mydomains | fields badguy | rename badguy AS domain]

rbogner · ‎07-26-2016

Great stuff, thanks guys.

Search _raw for values in a csv?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases