Solved: How to find domain from DNS log - Splunk Community

Getting Data In

I am trying to compare dns log to a list of suspicions domain

my dns log look like that :

22.333.xxx.apple.com
www.apple.com
sss.ddd.apple.com
123456.a-pple.net
www.333.a-pple.net

and the domain list i want to check is
apple.com
a-pple.net

trying to do it by rex or string with no success

1 Solution

Solution

For regex, assuming it is in a field named "request", try

| rex field=request "(?<domain>[^\.]*\.[^\.]*)$"

Out the other end, if I didn't mess it all up because this was a pain to do on a phone, you should have a field domain that is what you want.

(EDIT: dur. First sip of coffee went in, actual answer came out.)

View solution in original post

Have you tried the GetWatchList app?

https://splunkbase.splunk.com/app/635/

Solution

For regex, assuming it is in a field named "request", try

| rex field=request "(?<domain>[^\.]*\.[^\.]*)$"

Out the other end, if I didn't mess it all up because this was a pain to do on a phone, you should have a field domain that is what you want.

(EDIT: dur. First sip of coffee went in, actual answer came out.)

Thanks it's working grate

Great!

Can you please click "Accept" so all the other people who stumble across this answer will know the answer works?

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...