Splunk Search

Mass Searching for multiple domains

Engager

Hello!

I am trying to search for multiple malware domains in our logs. I cant figure out how to add multiple domains in my search.

Example:

"Bad Domains:"

go9ogle.com
265online.com
bofa2.com

How could I search all of the above domains at the same time?

Labels (1)
Tags (1)
0 Karma
1 Solution

Super Champion

My suggestion would be to create either a lookup table with the bad domains or a macro. this way you can just add [|inputlookup bad_domains.csv] to the search (for a lookup)

The lookup will work best if the field is extracted in the logs (for instance, a domain field, in which the lookup table has a domain column).

The macro would work if you're just doing keyword searches

View solution in original post

Ultra Champion

Super Champion

My suggestion would be to create either a lookup table with the bad domains or a macro. this way you can just add [|inputlookup bad_domains.csv] to the search (for a lookup)

The lookup will work best if the field is extracted in the logs (for instance, a domain field, in which the lookup table has a domain column).

The macro would work if you're just doing keyword searches

View solution in original post

Engager

Thank you so much, we are looking at a list of almost 100,000 bad domains that have come out of this covid situation. I plan to break them up by 1,000 or 10,000... depending what splunk can take. Do you have any recommendations?

0 Karma

Ultra Champion
| makeresults
| eval domain=""
| append [| makeresults count=100000
| streamstats count as A
| eval domain="domain".A
| fields domain
| format]

Isn't it okay if you don't divide it?

0 Karma