Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract only host name from the URL field-

yat135
Observer
‎11-20-2020 12:09 AM

Hi,

I have a field "blockedUri" which can contain two types of value (string or URL). Below is an example :

 

blockedUri = eval

blockedUri = https://analytics.google.com/sample.js

 

I need a splunk search query that will trim and return the only hostname of the value if it's a URL or if it is a normal string simply return the string.

 

The result should be as below :

 

eval

analytics.google.com

 

Thanks in advance

Labels (2)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
Ultra Champion
‎11-20-2020 12:36 AM 
| rex field=blockURL "http(s):\/\/(?<hostname>[^\/]+)"
| eval result=coalesce(hostname,blockedURL)
0 Karma
Reply
Get Updates on the Splunk Community!