Solved: Filter by URL

roseb · ‎08-08-2017

How do we filter by URL?
I use the search criteria below, however, I'm trying to figure out how will I filter the results by URL (e.g. facebook.com)
eventtype=AllBrowsing user= |table user url

Thanks in advance.

martin_mueller · ‎08-09-2017

Add as many filters as you like to your initial search:

eventtype=AllBrowsing user=something url=facebook.com | table user url

That's assuming the entire url value is literally facebook.com, otherwise you'd probably want to extract the host name from the url and filter on that.

View solution in original post

martin_mueller · ‎08-09-2017

Add as many filters as you like to your initial search:

eventtype=AllBrowsing user=something url=facebook.com | table user url

That's assuming the entire url value is literally facebook.com, otherwise you'd probably want to extract the host name from the url and filter on that.

martin_mueller · ‎08-09-2017

You can add wildcards, e.g. url=facebook.com/*. I highly recommend going through the tutorial at http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchTutorial/WelcometotheSearchTutorial

There is endless information in the docs, including how to work with fields: http://docs.splunk.com/Documentation/Splunk/6.6.2/Knowledge/Aboutfields

roseb · ‎08-09-2017

Hi Martin,

Thanks for your thorough answer.

The url value is not exactly facebook.com. It could be anything after the url like "facebook.com/posts/123"
Can I add a wildcard entry like url=facebook.com/* or how do I do your recommendation "extract the host name from the url and filter on that"?

🙂

Filter by URL

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...