Splunk Enterprise

Split url and extract values

balash1979
Path Finder

When I run my Splunk query, I get url field and the value of the field is like this
https://location-server-aks-611ab294.test.australia.azm.io:443/api

I would like to extract the words "location" and "server" from the above value. How can I accomplish this ?

Tags (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

If they'll always be in the same place in the string, and will always be delimited by dashes...

mysearch | rex "https:\/\/(?<first_string>[^-]*)-(?<second_string>[^-]*)"

That will retrieve the aptly named "first_string" and "second_string" from the first two '-' delimited things in the url after https.

A variation of that can be put in props to extract it always. For that, look at EXTRACT- or REPORT- props settings from the props.conf spec file

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...