Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Multiple Domains

CyberWolf
Path Finder
‎11-08-2024 05:49 AM

I have an SPLQ that im trying to collect all domains from a raw logs, but my regex is capturing only one domain.
in a single event, some events have one url some of them have 20 and more, how do i capture all domains, please advice?



SPLQ
..............
| rex field=_raw "(?<domain>\w+\.\w+)\/"
| rex field=MessageURLs "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?"
| fillnull value=n/a
| stats count by domain domain2 MessageURLs _raw

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-08-2024 07:14 AM

it shouldn't matter. Here is a run anywhere example with multiple events with different number of URL

| makeresults 
| eval _raw="here are some url and http://firsturl.com and some text again url http://www.secondurl.com and again some text URL http://www.third.com/" 
| append 
    [| makeresults 
    | eval _raw="here are some url and http://fourth.com and some text again url"] 
| append 
    [| makeresults 
    | eval _raw="here are some url and http://fifth.com and some text again url and some text again url http://www.sixth.com and again some text http://www.seventh.com and some http://www.moreandmore.com"] 
| rex max_match=0 "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?"
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

CyberWolf
Path Finder
‎11-08-2024 07:07 AM

its a good idea, but in my case i don't know what domains they will be in the _raw, so i cant predict the list. Some events have one domain and it captured but the next event has 5, next will have 12 and each event has different domains on the raw.

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-08-2024 07:14 AM

it shouldn't matter. Here is a run anywhere example with multiple events with different number of URL

| makeresults 
| eval _raw="here are some url and http://firsturl.com and some text again url http://www.secondurl.com and again some text URL http://www.third.com/" 
| append 
    [| makeresults 
    | eval _raw="here are some url and http://fourth.com and some text again url"] 
| append 
    [| makeresults 
    | eval _raw="here are some url and http://fifth.com and some text again url and some text again url http://www.sixth.com and again some text http://www.seventh.com and some http://www.moreandmore.com"] 
| rex max_match=0 "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?"
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

CyberWolf
Path Finder
‎11-08-2024 07:20 AM

Yap it makes since now, it worked thanks!

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎11-08-2024 06:44 AM

Try adding the max_match parameter

Here is a run anywhere example.  Please note that the resulted field from  max_match will be a multivalued field in case you want further operation on the field.

| makeresults
| eval _raw="here are some url and http://firsturl.com and some text again url http://www.secondurl.com and again some text URL http://www.third.com/"
| rex max_match=0 "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?"

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...