Good afternoon All,
I am having a hard time trying to understand the difference between "lookup", "inputlookup", and "outputlookup". I am also trying to get a basic real world example of why one may use one over the other. I am assuming that you first have to create the actual lookup file, which I have done from a static csv file that contains some malicious domains. I called this file badfile.csv.
My badfile.csv contains a field of "Domain" and let's say I am trying to search my "weblogs" sourcetype, and those logs also have the field name of "Domain". I know I need a common field in my lookup file that matches the sourcetype I am trying to search from, so a correlation can be made.
I am trying to figure out if I could use the "inputlookup" command to search for any hits or if I need to use the "lookup" command, or if I need to use a combination of both. Also, how would the outlookup command play into this?
I guess I am not sure what inputlook vs lookup does and am just looking for a more clear definition.
Any information that anyone can provide to give a basic understanding to a beginner is much appreciated.
Thanks
↧