Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you do URL domain analysis with the Web datamodel?

MonkeyK
Builder
‎11-03-2016 08:22 AM

I wold like to count URL domains for sites categorized as phishing or malware. The closest that I know how to do this is to look at url, but this can frequently be uniquified in the age of REST.

So how does one go about getting accelerated query results for URL domains?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MonkeyK
Builder
‎11-08-2016 09:41 AM

Actually, looks like the attribute "site" addresses domain, so I guess that all I needed was

|tstats count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.site | sort -count +Web.site

still some confusion around the eval. I guess I'll have to take that one up in a different question

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MonkeyK
Builder
‎11-08-2016 09:41 AM

Actually, looks like the attribute "site" addresses domain, so I guess that all I needed was

|tstats count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.site | sort -count +Web.site

still some confusion around the eval. I guess I'll have to take that one up in a different question

0 Karma
Reply
Solved! Jump to solution

MonkeyK
Builder
‎11-08-2016 09:06 AM

So, for example I have this

|tstats summariesonly count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.url

and want to summarize by domain instead of URL. One thought that I had was to do some sort of eval on Web.url and then sum the counts, but I cannot even get eval to work

|tstats summariesonly count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.url
| eval urlDom=Web.url
| stats sum(count) by> urlDom

returns nothing because urlDom is not evaluated. I can see this by trying

|tstats summariesonly count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.url
| eval urlDom=Web.url | fields urlDom, Web.url, count
I get back empty values for urlDom.
Is this an error?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...