Hi,
I need help on below SPL query.
| eval ci= if (isnull(ci),host,ci),
As per current logic, if there is no value available in ci then it will take host name as ci. Here host value is Splunk HF.
I want should pick up server name or application name from the URL part instead of picking Splunk HF as host in ci filed.
How to change server name or application name from the URL part instead of picking Splunk HF as host in ci filed.
URL Examples : http://abcdflpqr0012.abcd.xyz.com:5050/abcd/intro.html
http://prod-abcd.xyz.com:14000/identity
Can you please help me here.
Thank you.
Extract the CI from the URL and use that in the eval command.
| rex field=URL "https?:\/\/(?<url_ci>[^\.]+)"
| eval ci = coalesce(ci, url_ci)
Extract the CI from the URL and use that in the eval command.
| rex field=URL "https?:\/\/(?<url_ci>[^\.]+)"
| eval ci = coalesce(ci, url_ci)