- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: position of a character in a string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I'm trying to do a substr to strings such as:
google-public-dns-b.google.com
cachewas.tdp.net.pe
b.resolvers.Level3.net
And give me back the following:
google.com
tdp.net.pe
Level3.net
I thought doing a substr(domain,(mvjoin(domain,"."))
But it turned out, that way it could be achieved?
I would appreciate your support.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm assuming that you have a field for that FQDN called 'hostname'. If that is not the field name, use what is the field name. If you don't have a field for the FQDN pre-defined, then the answer would be different. This answer assumes you want two levels of the domain name (as in google.com):
... | rex field=hostname "\.(?<s_domainname>\S+\.\S+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm assuming that you have a field for that FQDN called 'hostname'. If that is not the field name, use what is the field name. If you don't have a field for the FQDN pre-defined, then the answer would be different. This answer assumes you want two levels of the domain name (as in google.com):
... | rex field=hostname "\.(?<s_domainname>\S+\.\S+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
.co.uk 😞
I've thought about working on an app to build up the known TLDs in order to get a correct "domain" mapping, but I never got around to it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
old question, but i worked through a similar problem in
This question
Basically, you can use these to get at different subdomain levels
| rex field=dest_hostname "(?P<ld2>[\w_-]+\.[\w_-]+)$"
| rex field=dest_hostname "(?P<ld3>[\w_-]+\.[\w_-]+\.[\w_-]+)$"
| rex field=dest_hostname "(?P<ld4>[\w_-]+\.[\w_-]+\.[\w_-]+\.[\w_-]+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's very good.
Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would you (and thus Splunk) know that the second domain is supposed to be transformed to "tdp.net.pe" and not just "net.pe"?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
