Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mass Searching for multiple domains

alexman616
Engager
‎04-03-2020 03:45 PM

Hello!

I am trying to search for multiple malware domains in our logs. I cant figure out how to add multiple domains in my search.

Example:

"Bad Domains:"

go9ogle.com
265online.com
bofa2.com

How could I search all of the above domains at the same time?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎04-03-2020 06:14 PM

My suggestion would be to create either a lookup table with the bad domains or a macro. this way you can just add [|inputlookup bad_domains.csv] to the search (for a lookup)

The lookup will work best if the field is extracted in the logs (for instance, a domain field, in which the lookup table has a domain column).

The macro would work if you're just doing keyword searches

View solution in original post

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-03-2020 08:03 PM 
"go9ogle.com" OR "265online.com" OR "bofa2.com"

see: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search
and try https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html

Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎04-03-2020 06:14 PM

My suggestion would be to create either a lookup table with the bad domains or a macro. this way you can just add [|inputlookup bad_domains.csv] to the search (for a lookup)

The lookup will work best if the field is extracted in the logs (for instance, a domain field, in which the lookup table has a domain column).

The macro would work if you're just doing keyword searches

Reply
Solved! Jump to solution

alexman616
Engager
‎04-03-2020 08:40 PM

Thank you so much, we are looking at a list of almost 100,000 bad domains that have come out of this covid situation. I plan to break them up by 1,000 or 10,000... depending what splunk can take. Do you have any recommendations?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-03-2020 08:56 PM 
| makeresults
| eval domain=""
| append [| makeresults count=100000
| streamstats count as A
| eval domain="domain".A
| fields domain
| format]

Isn't it okay if you don't divide it?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top