https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285131#M86242 <P>I am trying to search through logs for unusual domains generated by DGAs. I want to use regex to search for domain names with 7-12 characters ending with TLD. The characters are alphanumeric.<BR /> For example, abc1djdfkf.xyz</P> <P>I have used the following regex patterns, but did not see the desired results.</P> <P>rex field=URL "(?\w{7,12}.(XYZ))$" </P> Sat, 11 Feb 2017 15:52:14 GMT masfar 2017-02-11T15:52:14Z https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285131#M86242 <P>I am trying to search through logs for unusual domains generated by DGAs. I want to use regex to search for domain names with 7-12 characters ending with TLD. The characters are alphanumeric.<BR /> For example, abc1djdfkf.xyz</P> <P>I have used the following regex patterns, but did not see the desired results.</P> <P>rex field=URL "(?\w{7,12}.(XYZ))$" </P> Sat, 11 Feb 2017 15:52:14 GMT https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285131#M86242 masfar 2017-02-11T15:52:14Z https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285132#M86243 <P>Try this</P> <PRE><CODE>...| rex field=URL "(?&lt;domain&gt;\w{7,12}\.xyz)" </CODE></PRE> Sat, 11 Feb 2017 16:38:19 GMT https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285132#M86243 somesoni2 2017-02-11T16:38:19Z https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285133#M86244 <P>somesoni2- The DGA I am observing generates domains in alphanumeric characters, so in my regex I want to be able to search for domains that contain ONLY alphanumeric values. For example, I want to get a hit on ababdbdb233.xyz and not on djdhdjahdja.xyz. </P> Sat, 11 Feb 2017 17:02:44 GMT https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285133#M86244 masfar 2017-02-11T17:02:44Z https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285134#M86245 <P>So... you're looking for seven to twelve alphanumeric characters where at least one is a digit and at least one is a letter?<BR /> I'll be lazy and cheat:</P> <PRE><CODE>| rex field=URL "(?&lt;url_dga&gt;(?=\w*\d)(?=\w*[a-zA-Z])\w{7,12}\.xyz)" | regex URL="(?=\w*\d)(?=\w*[a-zA-Z])\w{7,12}\.xyz" </CODE></PRE> <P>Note 1: I've added <CODE>regex</CODE>, in case you're trying to filter and not extract a field.<BR /> Note 2: djdhdjahdja.xyz is technically alphanumeric <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span><BR /> Note 3: To add more laziness, take a look at <A href="https://splunkbase.splunk.com/app/3435">https://splunkbase.splunk.com/app/3435</A> - one of its examples targets algorithmically generated domains.</P> Sat, 11 Feb 2017 18:16:15 GMT https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285134#M86245 martin_mueller 2017-02-11T18:16:15Z https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285135#M86246 <P>Martin- Thanks, but the query you mentioned is not providing the desired results. For example, the results include abc.zybdkdke12.xyz , <A href="http://www.dahdha2ddalk.xyz">www.dahdha2ddalk.xyz</A>, when I am only interested in the main domain itself (zybdkdke12.xyz and dahdha2ddalk.xyz).</P> Sat, 11 Feb 2017 18:53:00 GMT https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285135#M86246 masfar 2017-02-11T18:53:00Z https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285136#M86247 <P>Well, it does match the example you gave that should match, and doesn't match the example you gave that shouldn't match.</P> <P>Are you trying to extract a new field <CODE>|rex</CODE> or filter results <CODE>|regex</CODE>?</P> Sat, 11 Feb 2017 19:36:01 GMT https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285136#M86247 martin_mueller 2017-02-11T19:36:01Z https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285137#M86248 <P>Martin- I am looking to extract the field.</P> Sat, 11 Feb 2017 20:43:54 GMT https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285137#M86248 masfar 2017-02-11T20:43:54Z https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285138#M86249 <P>I've added back the <CODE>rex</CODE> command to extract fields rather than searching by regex.</P> Sat, 11 Feb 2017 21:15:07 GMT https://community.splunk.com/t5/Splunk-Search/DGA-Regex-in-Splunk/m-p/285138#M86249 martin_mueller 2017-02-11T21:15:07Z