Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Wildcard in domain search

sp00l
New Member
‎04-02-2014 09:21 AM

I'm running a search that looks like this:

index=myindex domain=*mydomain* domain!=*.mydomain.com* domain !=mydomain.someotherdomain.com* , etc..

The purpose is to find domains that were visited containing the keyword 'mydomain' but exclude domains I already know about and trust. The issue that I am running into is that I still receive results containing any subdomain of mydomain, such as a.mydomain.com or apps.mydomain.com.

How can I filter out these results appropriately?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎04-02-2014 01:11 PM

Try this

index=myindex domain=*.mydomain.* OR domain=mydomain.* | where NOT match(domain,"[\W*\.*]*mydomain.com")
0 Karma
Reply

sp00l
New Member
‎04-02-2014 11:31 AM

No, fakemydomain.com should not show up in the search result as it is another domain, not the on I am searching for (or a subdomain). It just shares the text 'mydomain'.

0 Karma
Reply

somesoni2
Revered Legend
‎04-02-2014 11:23 AM

In my understanding "fakemydomain.com" should come in the search result (not excluded by filters), isn't it?

0 Karma
Reply

linu1988
Champion
‎04-02-2014 11:05 AM

sample addresses please? It may be slow make a regex extract and match with exact value of MYDOMAIN.

0 Karma
Reply

sp00l
New Member
‎04-02-2014 10:38 AM

using "domain!=*mydomain.com" would also match results such as "fakemydomain.com", correct? That is one thing I'm trying to avoid.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2014 10:21 AM

A word of warning, wildcards behave oddly when used around breaking characters such as periods. Some background: http://answers.splunk.com/answers/1263/the-asterisk-character-is-not-matching-all-characters-when-do...

Reply

somesoni2
Revered Legend
‎04-02-2014 10:16 AM

what about "domain!=*mydomain.com" ?

0 Karma
Reply

sp00l
New Member
‎04-02-2014 09:57 AM

Looks good now. Thank you, Martin.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2014 09:56 AM

Prefix a search with a newline and four spaces to avoid Splunk Answers treating asterisks as formatting characters.

0 Karma
Reply

sp00l
New Member
‎04-02-2014 09:53 AM

Looks like my original post ate my wildcards, my query should have been index=myindex domain=*mydomain* domain!=*.mydomain.com* domain !=mydomain.someotherdomain.com* , etc..

So I am already using wildcards. I guess my main question at this point would be is there a better way to filter both mydomain.com and *.mydomain.com with a single filter? Currently it will keep mydomain.com results if I only specificy !=*.mydomain.com and vice versa.

0 Karma
Reply

somesoni2
Revered Legend
‎04-02-2014 09:50 AM

Use "*" as wildcard.

index=myindex domain=*mydomain* NOT (domain=*.mydomain.com OR domain=mydomain.*.com)

Also, provide example events for more accurate suggestions.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...