Some of the splunk lookup related quirks are:
1. filename must be .csv
2. cloumn_name for lookup must be = a field name in splunk. Should be exactly the same.
Example 1
index="whatever" sourcetype="dns"
NOT [| inputlookup whitelist.csv
| fields query ]
*whitelist.csv must have the column name as query.
Example 2
Lookup in secondary search
index="whatever" sourcetype="dns"
| eval DomainName={Logic........}
| search NOT [| inputlookup whitelistdomain.csv
| fields DomainName ]
| stats dc(Host) AS HostsPerDomain BY DomainName
*whitelistdomain.csv must have the column name as DomainName.
1. filename must be .csv
2. cloumn_name for lookup must be = a field name in splunk. Should be exactly the same.
Example 1
index="whatever" sourcetype="dns"
NOT [| inputlookup whitelist.csv
| fields query ]
*whitelist.csv must have the column name as query.
Example 2
Lookup in secondary search
index="whatever" sourcetype="dns"
| eval DomainName={Logic........}
| search NOT [| inputlookup whitelistdomain.csv
| fields DomainName ]
| stats dc(Host) AS HostsPerDomain BY DomainName
*whitelistdomain.csv must have the column name as DomainName.
No comments:
Post a Comment