topic Re: Extract a part of field in Splunk Search

Extract a part of field

Olivier2024 — Tue, 20 Feb 2024 10:00:51 GMT

Hi all,

I'm trying to extract a part of a field. The field named Computer and is like MySrv.MyDomain.MySubDom1.com

MySubDom1 can exist or not.

I would like to extract everything after MySrv. I tried with index=MyIndex host=MySrv | rex field=_raw "(?<domaine_test>(\.\w+))"

The result create a new field Domain_test but it stores only the first part "MyDomain" and not the rest of the field.

How can I do this ?

For exemple :

Computer = "MySrv.MyDomain.MySubDom1.com"
Result : Domain_test = "MyDomain.MySubDom1.com"

ITWhisperer — Tue, 20 Feb 2024 10:52:03 GMT

| rex "\w+\.(?<domaine_test>[\.\w]+)"

Olivier2024 — Tue, 20 Feb 2024 14:18:11 GMT

Hi,

Thank you for your response.

I have some domain with "-" character, for exemple black-ice.com
The result is "black". Is it possible to get all domain ?

ITWhisperer — Tue, 20 Feb 2024 14:49:09 GMT

| rex "\w+\.(?<domaine_test>[\.\w-]+)"

if the - is at the end of the character class [] it doesn't need to be escaped

Olivier2024 — Tue, 20 Feb 2024 15:29:00 GMT

It works 🙂

Many thanks for your help !