Re: Wildcard for domain search

johnde · ‎05-10-2019

I am trying to find the domain that came in the logs but were faked to look similar for our domain.
So if my domain is abc.co I would like to list all entries that came for abc.co.xyz.com, abc.co.aaa.com, etc.
Thanks!

woodcock · ‎05-10-2019

Can't you just do myfield=abc.co*? Also, check out this app:
https://splunkbase.splunk.com/app/3376/

koshyk · ‎05-10-2019

Please provide sample data for this. You can write the SPL in 1000's of ways if you don't provide sample data

johnde · ‎05-10-2019

Thanks for the reply @koshyk .
I am new to SPL and still trying to figure out the right approach, what I am trying to find out is if someone faked our login page and redirected a user when they login with their credentials to our page.
Let's say our login page is is login.mydomain.co and someone created a sub-domain with our login page name, login.mydomain.co.fakedomain.com and this looks similar to our login page. Once a user enters the username password they are redirected to mydomain.co. I wanted to see if any of our users clicked on that link and entered the credentials based on the redirect.
fakedomain.com is not constant and it can be any value.

Wildcard for domain search

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases