I tried that search and it still isn't giving me any results. But here's a sample of the event I'm trying to filter with looks like (I've removed irrelevant fields and changed names to protect the innocent) sourcetype MSAD:NT6:DNS context PACKET dest SERVER direction Rcv eventtype nt6-dns-events(dns network resolution) flags D hexflags 0001 message a host address message_type Query message_type_code A opcode Q packetid 000000DFFFFFF query www.microsoft.com query_type Query record_type A reply_code NOERROR reply_code_description No Error reply_code_id 0 src 1.2.3.4 src_ip 1.2.3.4 tag dns network resolution threadid 0FFF transport UDP _time 2006-01-1T00:00:00.000+00:00 index dns linecount 1 So that query field is what I'm trying to match against. ... View more

Yes that's exactly the problem I'm dealing with. The query line will be something like query="server.domain.com" (without quotes) and I'm trying to just filter on "domain.com" Essentially what I'm trying to do is a query!=*.company.com but pull the "company.com" part from the csv file. ... View more

I tried this approach, but now I'm not getting any results. Which makes me wonder if it's an issue with my csv file. But all that's in it is query (or using your example domain) in the header row, and then I have a flag field. Does splunk still take into account that the domain list I'm using won't be an exact match for the query field? So it's treating it as if I'm doing query!=*.domain.com ? ... View more

Yes it did have a header row. I've played around with it to see if maybe that's the problem. So currently it has "query" (without quotes) in the header row, which is the field I'm trying to match the domain against in the DNS event logs. I've actually tried the example you suggested, and I'm still getting results that include the domains I'm trying to whitelist. ... View more