https://community.splunk.com/t5/Splunk-Search/Regex-searching-using-a-csv-list-vs-inline-RegEx/m-p/323979#M96693 <P>My search results return a list of FQDN domain names. I need to replace that domain name with an app name when a portion of that domain name is located.</P> <P>For example this would be the output from my index<BR /> office365.com<BR /> outlook.office365.com<BR /> sharepoint.office365.com<BR /> office.com<BR /> fbcdn.net</P> <P>This is my current search which works but becomes extremely slow when adding a lot of match lines. This search looks for any domain even if it contains subdomains.<BR /> For example X10232.fbserver.fbcdn.net. The Facebook line below would match on any *.fbcdn.net domain.<BR /> I also need to match on exacts like facebook.com</P> <PRE><CODE>index=weblogs | sort 0 -domain | eval domain=case( match(domain,"^(?=.*\bwordpress.com\b).*$"),"WordPress", match(domain,"^(?=.*\b.sharepoint.com\b).*$"),"Microsoft Office 365 - Sharepoint", match(domain,"^(?=.*\b.office365.com\b).*$"),"Microsoft Office 365", match(domain,"^(?=.*\b.fbcdn.net\b).*$"),"Facebook", match(domain,"^(?=.*\b.facebook.com\b).*$"),"Facebook", match(domain,"^(?=.*\bfacebook.com\b).*$"),"Facebook", true(),domain) | table domain </CODE></PRE> <P>I would like preform the same matching task but from a CSV lookup list with three fields. This way I can create two new fields for each event containing appname and apptype</P> <PRE><CODE>Domain,AppName,AppType facebook.com,Facebook,Social Media office.com,Office 365,Productivity fbcdn.net,Facebook,Social Media </CODE></PRE> Wed, 31 May 2017 15:47:53 GMT justinbarta 2017-05-31T15:47:53Z https://community.splunk.com/t5/Splunk-Search/Regex-searching-using-a-csv-list-vs-inline-RegEx/m-p/323979#M96693 <P>My search results return a list of FQDN domain names. I need to replace that domain name with an app name when a portion of that domain name is located.</P> <P>For example this would be the output from my index<BR /> office365.com<BR /> outlook.office365.com<BR /> sharepoint.office365.com<BR /> office.com<BR /> fbcdn.net</P> <P>This is my current search which works but becomes extremely slow when adding a lot of match lines. This search looks for any domain even if it contains subdomains.<BR /> For example X10232.fbserver.fbcdn.net. The Facebook line below would match on any *.fbcdn.net domain.<BR /> I also need to match on exacts like facebook.com</P> <PRE><CODE>index=weblogs | sort 0 -domain | eval domain=case( match(domain,"^(?=.*\bwordpress.com\b).*$"),"WordPress", match(domain,"^(?=.*\b.sharepoint.com\b).*$"),"Microsoft Office 365 - Sharepoint", match(domain,"^(?=.*\b.office365.com\b).*$"),"Microsoft Office 365", match(domain,"^(?=.*\b.fbcdn.net\b).*$"),"Facebook", match(domain,"^(?=.*\b.facebook.com\b).*$"),"Facebook", match(domain,"^(?=.*\bfacebook.com\b).*$"),"Facebook", true(),domain) | table domain </CODE></PRE> <P>I would like preform the same matching task but from a CSV lookup list with three fields. This way I can create two new fields for each event containing appname and apptype</P> <PRE><CODE>Domain,AppName,AppType facebook.com,Facebook,Social Media office.com,Office 365,Productivity fbcdn.net,Facebook,Social Media </CODE></PRE> Wed, 31 May 2017 15:47:53 GMT https://community.splunk.com/t5/Splunk-Search/Regex-searching-using-a-csv-list-vs-inline-RegEx/m-p/323979#M96693 justinbarta 2017-05-31T15:47:53Z https://community.splunk.com/t5/Splunk-Search/Regex-searching-using-a-csv-list-vs-inline-RegEx/m-p/323980#M96694 <P>You can do this with a lookup, making use of match_type (<A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf">transforms.conf</A><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>match_type = &lt;string&gt; * A comma and space-delimited list of &lt;match_type&gt;(&lt;field_name&gt;) specification to allow for non-exact matching * The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is the default and does not need to be specified. Only fields that should use WILDCARD or CIDR matching should be specified in this list </CODE></PRE> <P>You probably want your lookup to look like:</P> <PRE><CODE> Domain,AppName,AppType facebook.com,Facebook,Social Media *.facebook.com,Facebook,Social Media office.com,Office 365,Productivity *.office.com,Office 365,Productivity fbcdn.net,Facebook,Social Media *.fbcdn.net,Facebook,Social Media </CODE></PRE> <P>In order to match facebook.com and <A href="http://www.facebook.com">www.facebook.com</A>, but not fakefacebook.com.</P> Wed, 31 May 2017 16:17:06 GMT https://community.splunk.com/t5/Splunk-Search/Regex-searching-using-a-csv-list-vs-inline-RegEx/m-p/323980#M96694 micahkemp 2017-05-31T16:17:06Z https://community.splunk.com/t5/Splunk-Search/Regex-searching-using-a-csv-list-vs-inline-RegEx/m-p/323981#M96695 <P>It is not going to be as simple as you might expect; there are apps for this stuff and I would highly suggest you check out how others have tackled this same kind of thing (the lookup part is easy once you get the domain normalization stuff working):</P> <P>URL Tollbox: <A href="https://splunkbase.splunk.com/app/2734/">https://splunkbase.splunk.com/app/2734/</A><BR /> URL Parser: <A href="https://splunkbase.splunk.com/app/1545/">https://splunkbase.splunk.com/app/1545/</A><BR /> URL Expander: <A href="https://splunkbase.splunk.com/app/3460/">https://splunkbase.splunk.com/app/3460/</A><BR /> URL Parser: <A href="https://splunkbase.splunk.com/app/3396/">https://splunkbase.splunk.com/app/3396/</A></P> Wed, 31 May 2017 17:01:46 GMT https://community.splunk.com/t5/Splunk-Search/Regex-searching-using-a-csv-list-vs-inline-RegEx/m-p/323981#M96695 woodcock 2017-05-31T17:01:46Z