topic Re: How to trim away the port and use only URL after ":"? in Splunk Search

How to trim away the port and use only URL after ":"?

kiran331 — Mon, 12 Feb 2018 19:16:41 GMT

Hi,

I have a field with values URL and port, how to trim away the port and only use URL?
For example,

abc.net:9090
abc.bb23.org:8081

required output:

abc.net
abc.bb23.org

supabuck — Mon, 12 Feb 2018 19:44:54 GMT

Hello,

You want to use a regular expression to complete this.

If your field is called ipaddr the following code would apply. Replace the word ipaddr with whatever field you have which captures the IP address.

index=foo sourcetype=bar | rex field=ipaddr "(?P<ipaddr>.*):"

This returns everything before the : and places it in the field called ipaddr.

Let me know if this works.

Thank you,
Supabuck

richgalloway — Mon, 12 Feb 2018 19:46:37 GMT

One way is with rex.

... | rex field=foo "(?<URL>[^:]+)" | ...

mayurr98 — Tue, 13 Feb 2018 06:26:24 GMT

hey try this run anywhere search

| makeresults 
| eval data="abc.net:9090 abc.bb23.org:8081" 
| makemv data 
| mvexpand data 
| rex field=data "^(?P<URL>[^\:]+)\:"

In your environment, you should write

<your_base_search> | rex field=<field_name>  "^(?P<URL>[^\:]+)\:"

let me know if this helps!