Security

Shannon Entropy for DNS domains

me74fhfd
Path Finder

Hi all, can you please help me

I am calculating Shannon Entropy values for domains from single index and have two questions. 
1) Below SPL works well but calculates Shannons Entropy only for the first 100 domain entries. Is there way to mitigate that or its Splunk limitation
2) Is there more elegant way to use mvexpand in order that I dont have to calculate entropy twice to get results since `ut_shannon(domain)` result output looks like attached in picture.
Hope this makes sense.

SPL:
index="index1" sourcetype=sourcetype1 earliest=-24h
| fields Domain | stats values(Domain) as domain | `ut_shannon(domain)` | fields domain | mvexpand domain | rename domain as col1
| appendcols [search
index="index_sdas" sourcetype=ST_SDMP_SDAS earliest=-24h
| fields Domain | stats values(Domain) as domain | `ut_shannon(domain)` | fields ut_shannon | mvexpand ut_shannon | rename ut_shannon as col2]
| where col2 > 4
| table col2 col1
| rename col2 as ShannonEntropy, col1 as Domain
| eval ShannonEntropy = substr(ShannonEntropy,1,7)


table1.png

Thanks

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...