Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you do URL domain analysis with the Web datamodel?

MonkeyK
Builder
‎11-03-2016 08:22 AM

I wold like to count URL domains for sites categorized as phishing or malware. The closest that I know how to do this is to look at url, but this can frequently be uniquified in the age of REST.

So how does one go about getting accelerated query results for URL domains?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MonkeyK
Builder
‎11-08-2016 09:41 AM

Actually, looks like the attribute "site" addresses domain, so I guess that all I needed was

|tstats count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.site | sort -count +Web.site

still some confusion around the eval. I guess I'll have to take that one up in a different question

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MonkeyK
Builder
‎11-08-2016 09:41 AM

Actually, looks like the attribute "site" addresses domain, so I guess that all I needed was

|tstats count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.site | sort -count +Web.site

still some confusion around the eval. I guess I'll have to take that one up in a different question

0 Karma
Reply
Solved! Jump to solution

MonkeyK
Builder
‎11-08-2016 09:06 AM

So, for example I have this

|tstats summariesonly count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.url

and want to summarize by domain instead of URL. One thought that I had was to do some sort of eval on Web.url and then sum the counts, but I cannot even get eval to work

|tstats summariesonly count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.url
| eval urlDom=Web.url
| stats sum(count) by> urlDom

returns nothing because urlDom is not evaluated. I can see this by trying

|tstats summariesonly count FROM datamodel=Web.Web WHERE Web.category=malware BY Web.url
| eval urlDom=Web.url | fields urlDom, Web.url, count
I get back empty values for urlDom.
Is this an error?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...