I am trying to find the domain that came in the logs but were faked to look similar for our domain.
So if my domain is abc.co I would like to list all entries that came for abc.co.xyz.com, abc.co.aaa.com, etc.
Thanks!
Can't you just do myfield=abc.co*
? Also, check out this app:
https://splunkbase.splunk.com/app/3376/
Please provide sample data for this. You can write the SPL in 1000's of ways if you don't provide sample data
Thanks for the reply @koshyk .
I am new to SPL and still trying to figure out the right approach, what I am trying to find out is if someone faked our login page and redirected a user when they login with their credentials to our page.
Let's say our login page is is login.mydomain.co and someone created a sub-domain with our login page name, login.mydomain.co.fakedomain.com and this looks similar to our login page. Once a user enters the username password they are redirected to mydomain.co. I wanted to see if any of our users clicked on that link and entered the credentials based on the redirect.
fakedomain.com is not constant and it can be any value.