topic How to find domain from DNS log in Getting Data In

How to find domain from DNS log

romiz2563 — Sun, 11 Jun 2017 07:16:27 GMT

I am trying to compare dns log to a list of suspicions domain

my dns log look like that :

22.333.xxx.apple.com
www.apple.com
sss.ddd.apple.com
123456.a-pple.net
www.333.a-pple.net

and the domain list i want to check is
apple.com
a-pple.net

trying to do it by rex or string with no success

Richfez — Sun, 11 Jun 2017 12:21:01 GMT

For regex, assuming it is in a field named "request", try

| rex field=request "(?<domain>[^\.]*\.[^\.]*)$"

Out the other end, if I didn't mess it all up because this was a pain to do on a phone, you should have a field domain that is what you want.

(EDIT: dur. First sip of coffee went in, actual answer came out.)

woodcock — Sun, 11 Jun 2017 17:46:53 GMT

Have you tried the GetWatchList app?

romiz2563 — Sun, 11 Jun 2017 22:26:56 GMT

Thanks it's working grate

Richfez — Tue, 13 Jun 2017 20:22:48 GMT

Great!

Can you please click "Accept" so all the other people who stumble across this answer will know the answer works?