Solved: Re: How do you do URL domain analysis with the Web...

MonkeyK · ‎11-03-2016

I wold like to count URL domains for sites categorized as phishing or malware. The closest that I know how to do this is to look at url, but this can frequently be uniquified in the age of REST.

So how does one go about getting accelerated query results for URL domains?

MonkeyK · ‎11-08-2016

Actually, looks like the attribute "site" addresses domain, so I guess that all I needed was

|tstats count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.site | sort -count +Web.site

still some confusion around the eval. I guess I'll have to take that one up in a different question

View solution in original post

MonkeyK · ‎11-08-2016

Actually, looks like the attribute "site" addresses domain, so I guess that all I needed was

|tstats count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.site | sort -count +Web.site

still some confusion around the eval. I guess I'll have to take that one up in a different question

MonkeyK · ‎11-08-2016

So, for example I have this

|tstats summariesonly count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.url

and want to summarize by domain instead of URL. One thought that I had was to do some sort of eval on Web.url and then sum the counts, but I cannot even get eval to work

|tstats summariesonly count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.url
| eval urlDom=Web.url
| stats sum(count) by> urlDom

returns nothing because urlDom is not evaluated. I can see this by trying

|tstats summariesonly count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.url
| eval urlDom=Web.url | fields urlDom, Web.url, count
I get back empty values for urlDom.
Is this an error?

How do you do URL domain analysis with the Web datamodel?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!