https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106190#M22358 <P>ok, but how will i specify to extract from the host field in your props.conf you mention for reporting ? your last props.conf entry</P> Fri, 20 May 2011 16:44:24 GMT pmr 2011-05-20T16:44:24Z https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106187#M22355 <P>I'm trying to extract domain info from the host field at search time and have the following props and transforms set, but it doesnt seem to work. My example hostname would be art.mozart.apac.com and trying to extract mozart.apac.com. here's my props and transforms :</P> <P>props.conf</P> <PRE><CODE>[xyz] REPORT-extract_domain_name = domain_name_extract </CODE></PRE> <P>transforms.conf<BR /> [domain_name_extract]</P> <PRE><CODE>SOURCE_KEY = host REGEX = (\.\w+\.\w+\.\w+) FORMAT = domain_name::$1 </CODE></PRE> <P>is my configuration correct ? and any reason why this doesnt work ?</P> <P>thanks<BR /> pmr</P> Mon, 28 Sep 2020 09:35:40 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106187#M22355 pmr 2020-09-28T09:35:40Z https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106188#M22356 <P>You need to escape the dots and add a backslash before your "w" characters. A dot in regex is a special character meaning 'any character'.</P> <P>Your regex should probably look something like this:</P> <PRE><CODE>(\.\w+\.\w+\.\w+)$ </CODE></PRE> Fri, 20 May 2011 07:45:38 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106188#M22356 Ayn 2011-05-20T07:45:38Z https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106189#M22357 <P>If you want to be able to search for this field you have to either make it an indexed field (better performance) </P> <P><A href="http://www.splunk.com/base/Documentation/latest/Data/Configureindex-timefieldextraction">http://www.splunk.com/base/Documentation/latest/Data/Configureindex-timefieldextraction</A></P> <P>props.conf</P> <PRE><CODE>[xyz] TRANSFORMS-extract-domain = extract-domain-name </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[extract-domain-name] SOURCE_KEY = MetaData:Source REGEX=source::\w+\.([\w\.]+)$ FORMAT = domain_name::$1 WRITE_META = true </CODE></PRE> <P>fields.conf</P> <PRE><CODE>[domain_name] INDEXED = true </CODE></PRE> <HR /> <P>or tell Splunk that the event content (_raw) might not contain the field value:</P> <P>fields.conf</P> <PRE><CODE>[domain_name] INDEXED_VALUE = false </CODE></PRE> <HR /> <P>If you want to use this field just for reporting, the it should be sufficient to just extract the field:</P> <P>props.conf</P> <PRE><CODE>[xyz] EXTRACT-domain-name = \.(?&lt;domain_name&gt;[\w\.]+) in source </CODE></PRE> Fri, 20 May 2011 09:31:06 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106189#M22357 ziegfried 2011-05-20T09:31:06Z https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106190#M22358 <P>ok, but how will i specify to extract from the host field in your props.conf you mention for reporting ? your last props.conf entry</P> Fri, 20 May 2011 16:44:24 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106190#M22358 pmr 2011-05-20T16:44:24Z https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106191#M22359 <P>Ah, I unintentionally wrote the examples with the source field. You just have to append "in host" instead of "in source".</P> Tue, 24 May 2011 00:10:26 GMT https://community.splunk.com/t5/Getting-Data-In/extracting-domain-info-from-host/m-p/106191#M22359 ziegfried 2011-05-24T00:10:26Z