Hi,
I am parsing the DNS logs in Splunk and in order to refine my search results, I use something like following.
For an IP Address: xxx.xxx.xxx.xxx, which sends DNS queries for a host at some point of time, I would like to view the list of all the different hosts queried.
So, my splunk search is:
xxx.xxx.xxx.xxx sourcetype="dns" | table _time, query
There are many results where I have entries of subdomains of yyy.com and zzz.com which I want to filter out.
I can write something like following for excluding just one of the domains from results like:
xxx.xxx.xxx.xxx sourcetype="dns" query!="yyy" | table _time, query
Now, 2 questions:
How do I do this for 2 or more domains which I would like to exclude? Is there an option to use an AND or OR operator?
How do I display only the unique query entries in the results?
I know we can use the below search to display all unique query entries and a count of them:
xxx.xxx.xxx.xxx sourcetype="dns" query!="yyy" | table _time, query | stats count by query
But this way, the _time column is not shown in the results which I would definitely not want to omit from the results.
Thanks.
... View more