I'm running a search that looks like this:
index=myindex domain=*mydomain* domain!=*.mydomain.com* domain !=mydomain.someotherdomain.com* , etc..
The purpose is to find domains that were visited containing the keyword 'mydomain' but exclude domains I already know about and trust. The issue that I am running into is that I still receive results containing any subdomain of mydomain, such as a.mydomain.com or apps.mydomain.com.
How can I filter out these results appropriately?
Try this
index=myindex domain=*.mydomain.* OR domain=mydomain.* | where NOT match(domain,"[\W*\.*]*mydomain.com")
No, fakemydomain.com should not show up in the search result as it is another domain, not the on I am searching for (or a subdomain). It just shares the text 'mydomain'.
In my understanding "fakemydomain.com" should come in the search result (not excluded by filters), isn't it?
sample addresses please? It may be slow make a regex extract and match with exact value of MYDOMAIN.
using "domain!=*mydomain.com" would also match results such as "fakemydomain.com", correct? That is one thing I'm trying to avoid.
A word of warning, wildcards behave oddly when used around breaking characters such as periods. Some background: http://answers.splunk.com/answers/1263/the-asterisk-character-is-not-matching-all-characters-when-do...
what about "domain!=*mydomain.com" ?
Looks good now. Thank you, Martin.
Prefix a search with a newline and four spaces to avoid Splunk Answers treating asterisks as formatting characters.
Looks like my original post ate my wildcards, my query should have been index=myindex domain=*mydomain* domain!=*.mydomain.com* domain !=mydomain.someotherdomain.com* , etc..
So I am already using wildcards. I guess my main question at this point would be is there a better way to filter both mydomain.com and *.mydomain.com with a single filter? Currently it will keep mydomain.com results if I only specificy !=*.mydomain.com and vice versa.
Use "*" as wildcard.
index=myindex domain=*mydomain* NOT (domain=*.mydomain.com OR domain=mydomain.*.com)
Also, provide example events for more accurate suggestions.