outputlookup takes the current event set and writes it to a CSV or KVStore.inputlookup takes the the table of the lookup and creates new events in your result set (either created completely or added to a prior result set).lookup adds data to each existing event in your result set based on a field existing in the event matching a value in the lookup.I guess I am not sure what inputlook vs lookup does and am just looking for a more clear definition.Īny information that anyone can provide to give a basic understanding to a beginner is much appreciated.įor reference: the docs have a page for each command: lookup inputlookup and outputlookup. Also, how would the outlookup command play into this? I am trying to figure out if I could use the "inputlookup" command to search for any hits or if I need to use the "lookup" command, or if I need to use a combination of both. I know I need a common field in my lookup file that matches the sourcetype I am trying to search from, so a correlation can be made. My badfile.csv contains a field of "Domain" and let's say I am trying to search my "weblogs" sourcetype, and those logs also have the field name of "Domain". I am assuming that you first have to create the actual lookup file, which I have done from a static csv file that contains some malicious domains. I am also trying to get a basic real world example of why one may use one over the other. I am having a hard time trying to understand the difference between "lookup", "inputlookup", and "outputlookup".
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |