I am trying to compare dns log to a list of suspicions domain
my dns log look like that :
22.333.xxx.apple.com
www.apple.com
sss.ddd.apple.com
123456.a-pple.net
www.333.a-pple.net
and the domain list i want to check is
apple.com
a-pple.net
trying to do it by rex or string with no success
For regex, assuming it is in a field named "request", try
| rex field=request "(?<domain>[^\.]*\.[^\.]*)$"
Out the other end, if I didn't mess it all up because this was a pain to do on a phone, you should have a field domain that is what you want.
(EDIT: dur. First sip of coffee went in, actual answer came out.)
Have you tried the GetWatchList
app?
For regex, assuming it is in a field named "request", try
| rex field=request "(?<domain>[^\.]*\.[^\.]*)$"
Out the other end, if I didn't mess it all up because this was a pain to do on a phone, you should have a field domain that is what you want.
(EDIT: dur. First sip of coffee went in, actual answer came out.)
Thanks it's working grate
Great!
Can you please click "Accept" so all the other people who stumble across this answer will know the answer works?