![]() ![]() You are also potentially reading a lot more data than is initially necessary.īoth ways can work, but a lot depends on the relative sizes of data and your environments. KVStore can distribute per key value pair, but takes some additional setup IIRC), or you have to stream all the events to the search head to perform the lookup with local=true which could be expensive depending on how much data you're talking about, and precludes the automatic lookup. The tradeoff here in a Distributed environment where your search head is separate from your indexers is that the lookup either has to be distributed to your indexers (CSV, any changes means distributing the whole thing each time, which could be expensive depending on size of the lookup again. then your search could be: sourcetype=weblogs | lookup baddomains Domain OUTPUT is_bad | where is_bad="1"Īdditionally you can use nf to automatically do this lookup for all events in your sourcetype and then just search sourcetype=weblogs is_bad=1 If your lookup has another field say is_bad that has a "1" if a domain is bad. Subsearches have limitations as far as number of rows and execution time, and you'll want to figure out if this makes sense or not. The subsearch would translate your lookup into the query ((Domain="bad.com") OR (Domain="bad.biz"). With your case there are two ways that I can think about this being done offhand, with certain tradeoffs: Assuming you have a lookup defined named baddomains with the field Domain one way to search would be: sourcetype=weblogs outputlookup takes the current event set and writes it to a CSV or KVStore.This builds a table w/ the specified data types. inputlookup 'GSOCdata230717.csv' fields sourceaddress, destinationaddress, protocolid, destinationport, psrsvdgc stats sum (psrsvdgc) as count by sourceaddress, destinationaddress, protocolid, destinationport. inputlookup takes the the table of the lookup and creates new events in your result set (either created completely or added to a prior result set) How to filter data in an input lookup table 07-18-2023 12:16 PM.lookup adds data to each existing event in your result set based on a field existing in the event matching a value in the lookup.I guess I am not sure what inputlook vs lookup does and am just looking for a more clear definition.Īny information that anyone can provide to give a basic understanding to a beginner is much appreciated.įor reference: the docs have a page for each command: lookup inputlookup and outputlookup. Also, how would the outlookup command play into this? I am trying to figure out if I could use the "inputlookup" command to search for any hits or if I need to use the "lookup" command, or if I need to use a combination of both. ![]() I know I need a common field in my lookup file that matches the sourcetype I am trying to search from, so a correlation can be made. My badfile.csv contains a field of "Domain" and let's say I am trying to search my "weblogs" sourcetype, and those logs also have the field name of "Domain". I am assuming that you first have to create the actual lookup file, which I have done from a static csv file that contains some malicious domains. I am also trying to get a basic real world example of why one may use one over the other. I am having a hard time trying to understand the difference between "lookup", "inputlookup", and "outputlookup". ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |