Solved: How to find domain from DNS log - Splunk Community

Getting Data In

I am trying to compare dns log to a list of suspicions domain

my dns log look like that :

22.333.xxx.apple.com
www.apple.com
sss.ddd.apple.com
123456.a-pple.net
www.333.a-pple.net

and the domain list i want to check is
apple.com
a-pple.net

trying to do it by rex or string with no success

1 Solution

Solution

For regex, assuming it is in a field named "request", try

| rex field=request "(?<domain>[^\.]*\.[^\.]*)$"

Out the other end, if I didn't mess it all up because this was a pain to do on a phone, you should have a field domain that is what you want.

(EDIT: dur. First sip of coffee went in, actual answer came out.)

View solution in original post

Have you tried the GetWatchList app?

https://splunkbase.splunk.com/app/635/

Solution

For regex, assuming it is in a field named "request", try

| rex field=request "(?<domain>[^\.]*\.[^\.]*)$"

Out the other end, if I didn't mess it all up because this was a pain to do on a phone, you should have a field domain that is what you want.

(EDIT: dur. First sip of coffee went in, actual answer came out.)

Thanks it's working grate

Great!

Can you please click "Accept" so all the other people who stumble across this answer will know the answer works?

Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...