You can also look at the Splunk format command, if you need to alter the sub-search's expression format, for example, adding * around each returned expression. This expression is then appended to the original search string, so the final search that Splunk executes is index=someindex host=host*p* "STATIC_SEARCH_STRING" ("alice") OR ("bob") OR ("charlie") This is a special field in sub-searches when the sub-search returns the field query, it is expanded out into the expression (field_value_1) OR (field_value_2) OR. If it does not then youll need a rename command in the subsearch. Now, from your browser, log into Splunk and reload the nf and nf file for your new additions: sourcetypemail extract reloadtrue. We then use fields to ensure there is only a single field ( UserList) in the data. First, make sure the suricata:dns sourcetype has a field called 'destip'. This video covers the demo of using Inputlookup for CSV file. What is happening here is that there is a sub-search, which does an inputlookup on the users.csv file. This video explains types of lookups in Splunk and its commands. Index=someindex host=host*p* "STATIC_SEARCH_STRING"
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |