I'm trying to filter out false-positive domains in a search of DNS events by using NOT on the ut_domain field of the lookup table. The search runs but provides no results, despite there being events that should've been returned in the results.
sourcetype=infoblox:dns record_type!=SRV record_type!=PTR record_type!=SOA
| eval list="mozilla"
| `ut_parse(query, list)`
| search ut_domain NOT [|inputlookup FP_entropy_domains.csv | fields ut_domain]
| `ut_shannon(ut_subdomain)`
| search ut_shannon >= 4.0
| stats count by ut_netloc ut_shannon
| sort -ut_shannon, -count
The search works fine until I try to filter out the domains.
I've tried multiple iterations including re-naming the lookup file's column name from ut_domain to domain and removing the ut_shannon >= 4.0 component, but nothing's worked:
| search NOT [|inputlookup FP_entropy_domains.csv | fields ut_domain]
| search ut_domain NOT [|inputlookup FP_entropy_domains.csv | fields domain]
| search NOT [|inputlookup FP_entropy_domains.csv | fields domain]
Splunk indicates that it's successfully looking up the csv, and the comparison to the domain/ut_domain column in the lookup table is happening - I just don't get any results at the end of it.
Every answer I find on Splunk Answers indicates it should work with the simple *|search NOT [|inputlookup | fields ]* and I can't see what I'm doing wrong in this case.
↧