You would use a lookup table. Just dump a csv with two columns - a domain column and a "suspicious" column that is always set to 1. The lookup would enrich raw events with an extra "suspicious" field, and you would just search for "sourcetype=dns suspicious=1". Anytime the watchlist changes, you just overwrite the csv table and any new queries would pick up the latest mappings.
You could also tag the domain:
### In tags.conf [domain="bad.domain.etc"] suspicious_domain = enabled
Then run a scheduled search on tag=suspicious_domain which you could alert on for events found > 0
Both approaches posted here by Dan and muebel will work. Choosing one depends on how many domains you want to alert on as well as how you wish to maintain the list of bad domains.
If there are just a few domains, go ahead and tag the domains as per muebel's example and schedule a saved search for the tag and enable alerting: http://www.splunk.com/base/Documentation/4.1.3/AppManagement/Createanalert
If you have a large number of domains, or the list of domains to alert on changes frequently, follow Dan's example. Create a csv with the list of domains and have your search do a lookup on it: http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsfromexternaldatasources Finally, schedule your search and alert on it: http://www.splunk.com/base/Documentation/4.1.3/AppManagement/Createanalert
The advantage of the csv approach is that you can have anybody update the domain filter csv without needing to have special knowledge about splunk. This will appease your PHBs and make your life easier 🙂
I got the concept of creating the new field.. What if i need to have a partial match on any field with a list of malicious domains.. for example the splunk field contains xxxy.com and my list contains xxxy only... how "contains" or "like" can be implemented.