Splunk Enterprise Security

Extract only host name from the URL field-

yat135
Observer

Hi,

I have a field "blockedUri" which can contain two types of value (string or URL). Below is an example :

 

blockedUri = eval

blockedUri = https://analytics.google.com/sample.js

 

I need a splunk search query that will trim and return the only hostname of the value if it's a URL or if it is a normal string simply return the string.

 

The result should be as below :

 

eval

analytics.google.com

 

Thanks in advance

Labels (2)
Tags (2)
0 Karma

ITWhisperer
Ultra Champion
| rex field=blockURL "http(s):\/\/(?<hostname>[^\/]+)"
| eval result=coalesce(hostname,blockedURL)
0 Karma