Splunk: How to Make Lookup Based on Wildcards

[post-views]
November 25, 2024 · 1 min read
Splunk: How to Make Lookup Based on Wildcards

1) Add to transforms.conf stanza:

[field_from_sourcetype]
batch_index_query = 0
case_sensitive_match = 0
filename = field_from_sourcetype.csv
match_type = WILDCARD(Sourcetype)

2) Create field_from_sourcetype.csv file with wildcards and put it to lookups folder:

Sourcetype,field_name
*apache*,http_method
*access_combined*,http_method
*cloudtrail*,eventName
*ms:aad*,Category
*nginx*,http_method
*ms:o365*,Workload
*office365*,Workload
*o365*,Workload
*powershell*,EventCode
*windows.ps*,EventCode
*slack*,action
*sysmon*,EventCode
*zscaler*,http_method
*system.security*,EventCode
*winlog*,EventCode
*wineventlog*,EventCode
*windows.security*, EventCode

As result – field_name will be populated based on list with wildcards:

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts