Hi Splunkers,
I have a CSV file that contains several different IOCs, such as domains, hashes, ip addresses, and email addresses. I would like to perform a search and return all matches with a count.
file name:ioc.csv
column field :ioc
Example of CSV file:
ioc
badstuff.com
45CD661D53DFC80A0A5A7927F9EE313L
I am able to get the search to work and return the events with the following query:
index=* sourcetype=* [|inputlookup ioc.csv |rename ioc as query|fields query]
The problem I am having is returning a count for the matches, since some matches fall under different fields. For example, if the search listed above returns a total of 3 events, 2 domain matches, and 1 hash match if did the following:
index=* sourcetype=* [|inputlookup ioc.csv |rename ioc as query|fields query]|stats count by domain
The domain matches will return with the count, but not the hash results. How would go about performing a count on all matches that are returned?
Thanks in Advance!
... View more