I'm not sure whether or not this is a unique problem, but I'm hoping someone can help even if I'm overlooking an obvious solution :-).
I have a lookup table that is a domain whitelist that we allow through our proxies. For example, let's pretend a portion of this lookup table is like this (keeping in mind that some of the whitelisted domains might be sub-domains):
uri_host
--------
google.com
amazon.com
yahoo.com
answers.splunk.com
.
.
.
What I'm trying to figure out is if there is a way to not only use this lookup table to search across the proxy logs, but also add a field to each resulting event called, say, "match_string" that contains the value from the lookup table that caused the event to match.
For example, if in the proxy logs there are events of people browsing to "maps.google.com" and "images.google.com", those would match my whitelist due to "google.com" being there, but I want to somehow tie that back to the lookup table so that I know it shows up in the results because it matched against "google.com". The results of this might look like:
uri_host match_string
-------- ------------
maps.google.com google.com
images.google.com google.com
mail.yahoo.com yahoo.com
answers.splunk.com answers.splunk.com
Hopefully that explains what I'm trying to do well enough, and thank you in advance to anyone who can help!
↧