I am trying to compare 2 indexes (malicious domains against proxy logs) using an evaluated field. I have a subsearch which pulls from 2 fields (host and uri) and want to match it against a field (host and uri) of the parent search.
index=proxy_logs method=GET [inputlookup malicious_urls.csv | eval full_url=host.uri | table full_url] | eval full_url=host.uri | table full_url
It is not returning any events, but it should as I'm using test data. I've tried putting the eval before the subsearch, which I assumed was the problem like this:
index=proxy_logs method=GET | eval full_url=host.uri | search [inputlookup malicious_urls.csv | eval full_url=host.uri | table full_url] | table full_url
This also doesn't return any results. Any recommendations? I will also take a solution that allows to return both the host and uri individually and compare against host and uri in the proxy logs, but couldn't find that solution either. I can successfully just match on one field, the host, but this is rather noisy as many of the domains are domain shorteners.
Any help is appreciated. Thanks.
... View more