https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468438#M140491 <P>My suggestion would be to create either a lookup table with the bad domains or a macro. this way you can just add <CODE>[|inputlookup bad_domains.csv]</CODE> to the search (for a lookup)</P> <P>The lookup will work best if the field is extracted in the logs (for instance, a domain field, in which the lookup table has a domain column). </P> <P>The macro would work if you're just doing keyword searches</P> Sat, 04 Apr 2020 01:14:11 GMT cmerriman 2020-04-04T01:14:11Z https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468437#M140490 <P>Hello!</P> <P>I am trying to search for multiple malware domains in our logs. I cant figure out how to add multiple domains in my search.</P> <P>Example:</P> <P>"Bad Domains:"</P> <P>go9ogle.com<BR />265online.com<BR />bofa2.com</P> <P>How could I search all of the above domains at the same time?</P> Mon, 08 Jun 2020 21:38:27 GMT https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468437#M140490 alexman616 2020-06-08T21:38:27Z https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468438#M140491 <P>My suggestion would be to create either a lookup table with the bad domains or a macro. this way you can just add <CODE>[|inputlookup bad_domains.csv]</CODE> to the search (for a lookup)</P> <P>The lookup will work best if the field is extracted in the logs (for instance, a domain field, in which the lookup table has a domain column). </P> <P>The macro would work if you're just doing keyword searches</P> Sat, 04 Apr 2020 01:14:11 GMT https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468438#M140491 cmerriman 2020-04-04T01:14:11Z https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468439#M140492 <PRE><CODE>"go9ogle.com" OR "265online.com" OR "bofa2.com" </CODE></PRE> <P>see: <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search</A><BR /> and try <A href="https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html">https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html</A></P> Sat, 04 Apr 2020 03:03:15 GMT https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468439#M140492 to4kawa 2020-04-04T03:03:15Z https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468440#M140493 <P>Thank you so much, we are looking at a list of almost 100,000 bad domains that have come out of this covid situation. I plan to break them up by 1,000 or 10,000... depending what splunk can take. Do you have any recommendations?</P> Sat, 04 Apr 2020 03:40:40 GMT https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468440#M140493 alexman616 2020-04-04T03:40:40Z https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468441#M140494 <PRE><CODE>| makeresults | eval domain="" | append [| makeresults count=100000 | streamstats count as A | eval domain="domain".A | fields domain | format] </CODE></PRE> <P>Isn't it okay if you don't divide it?</P> Sat, 04 Apr 2020 03:56:42 GMT https://community.splunk.com/t5/Splunk-Search/Mass-Searching-for-multiple-domains/m-p/468441#M140494 to4kawa 2020-04-04T03:56:42Z