Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

web gateway filter activity to urls

daveevad
New Member
‎03-13-2020 07:10 AM

i have 117 sites listed from homeland security. i need to check if any of our machine have visited them. We have McAfee web gateway logs funneled into splunk. What's the best way to go about looking for that activity?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-13-2020 10:36 AM

You can create a csv file with all the 117 urls, upload it in search head and use that in your search. This will filter data with all the urls in csv file.

urls.csv

dhost
www.upanddown.ocry.com
www.upanddown.ocry.com
good.weascapes.com
khinhte.chinhsech.com
...

Search query:

source=Webgateway [ | inputlookup urls.csv]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PavelP
Motivator
‎03-13-2020 03:58 PM

such lists (example: https://urlhaus.abuse.ch/browse/) often contains full urls with http:// prefix. A url http://www.example.com/ from the csv file will not match https://www.example.com/foo?xx in your proxy log. It is better to extract the domain part (www.example.com or even example.com) before searching.

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-13-2020 10:36 AM

You can create a csv file with all the 117 urls, upload it in search head and use that in your search. This will filter data with all the urls in csv file.

urls.csv

dhost
www.upanddown.ocry.com
www.upanddown.ocry.com
good.weascapes.com
khinhte.chinhsech.com
...

Search query:

source=Webgateway [ | inputlookup urls.csv]
0 Karma
Reply
Solved! Jump to solution

daveevad
New Member
‎03-13-2020 11:21 AM

cool! thanks!

0 Karma
Reply
Solved! Jump to solution

daveevad
New Member
‎03-13-2020 07:24 AM

ok, maybe i was making this harder than it needs to be. I can do this for example...
source=Webgateway walmart.com
i get alot of hits, of course. Do i have to do this 117 times, one for each url/ftp site?

0 Karma
Reply
Solved! Jump to solution

daveevad
New Member
‎03-13-2020 07:32 AM

can i use "OR" statements between urls to search for several at one time?

0 Karma
Reply
Solved! Jump to solution

daveevad
New Member
‎03-13-2020 07:34 AM

Ah, answer is yes. How many can i string together?

0 Karma
Reply
Solved! Jump to solution

daveevad
New Member
‎03-13-2020 08:05 AM

apparently at least 10 sites. Was able to do searching without errors. Talked myself through this. I good now. Open to better ways though!
Thanks.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-13-2020 09:04 AM

Are these website values part of a field in the data?

0 Karma
Reply
Solved! Jump to solution

daveevad
New Member
‎03-13-2020 10:22 AM

as in my example for a walmart.com search, it showed up as
dhost="beacon.walmart.com"
That what you mean?

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-13-2020 10:26 AM

yes, are other website names are part of this field?

Provide some sample for below query.

source=Webgateway | head 20 | table dhost
0 Karma
Reply
Solved! Jump to solution

daveevad
New Member
‎03-13-2020 10:31 AM

i had 117 various urls and ftp sites. I was checking to see if any of our user went to any of those site. One of my queries looked like this.
source=Webgateway www.upanddown.ocry.com OR dothi.chinhsech.com OR good.weascapes.com OR khinhte.chinhsech.com OR hcm.vozforumsx.com OR image.biengioivn.com OR lat.conglyan.com OR login.chinhphuna.com OR login.haiduongpcg.com OR luan.conglyan.com
Which worked, i threw in a youtube.com and a walmart.com in there to check. A table would be cleaner though...

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-13-2020 11:27 AM

I converted my comment to answer. Please accepts it if it works for you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...