Hello everyone!
My initial search give me events with the URLs that users clicked using the outlook client. After a bit of REGEX magic, I have extracted the URL from the event which looks something like "www.Jon.com". I have a CSV file called "URLDatabase" that has very similar content as the text-box below. What I want is to check whether the identified URL "www.Jon.com" is in among the CSV under the url column and if it is to extract/return the full url from the CSV file.
My problem is that the search command after the inputlookup "search= url=web" doesnt treat web as variable but just as word. If I do "search url="*www.Jon.com**" it works but I want it to accept a field such as web so it can be dynamic.
**CSV file structure (Not using all columns)**
pid,url,verdict,process
5654,www.Jon.com/name/dsd.html,Pass,first
5745,www.Michael.com/name/dsdf.html,Fail,first
**SPLUNK command**
source="WinEventLog:Microsoft-Windows-Sysmon/Operational" ParentImage:("DATA") Image:("DATA2" OR "DATA3") | rex field=ParentImage "^.*\d(?.*)\.*" | eval web="\"*".(website)."*\"" | eval foo=[| inputlookup URLDatabase.csv | search url=web | return url | format ] | fields User App Product foo | bucket_time span=20m | stats values(User) as Users values(App) as Application values(Product) as Browser values(foo) as URLs by _time
I have tried multiple ways to make url=web to work but all failed as it is not accepting is a dynamic field/variable"
Any help would be greatly appreciated.
↧