My search results return a list of FQDN domain names. I need to replace that domain name with an app name when a portion of that domain name is located.
For example this would be the output from my index
office365.com
outlook.office365.com
sharepoint.office365.com
office.com
fbcdn.net
This is my current search which works but becomes extremely slow when adding a lot of match lines. This search looks for any domain even if it contains subdomains.
For example X10232.fbserver.fbcdn.net. The Facebook line below would match on any *.fbcdn.net domain.
I also need to match on exacts like facebook.com
index=weblogs | sort 0 -domain
| eval domain=case(
match(domain,"^(?=.*\bwordpress.com\b).*$"),"WordPress",
match(domain,"^(?=.*\b.sharepoint.com\b).*$"),"Microsoft Office 365 - Sharepoint",
match(domain,"^(?=.*\b.office365.com\b).*$"),"Microsoft Office 365",
match(domain,"^(?=.*\b.fbcdn.net\b).*$"),"Facebook",
match(domain,"^(?=.*\b.facebook.com\b).*$"),"Facebook",
match(domain,"^(?=.*\bfacebook.com\b).*$"),"Facebook",
true(),domain) | table domain
I would like preform the same matching task but from a CSV lookup list with three fields. This way I can create two new fields for each event containing appname and apptype
Domain,AppName,AppType
facebook.com,Facebook,Social Media
office.com,Office 365,Productivity
fbcdn.net,Facebook,Social Media
... View more