Splunk Enterprise

What regex can I use to remove some fields from url_host?

Lu23
Observer

Hi everyone,
I'm very new here. I need support with extracting  this field,  "safeframe.googlesyndication.com"  from "ofc62fbe04078e8d3b0843298ad3421d.safeframe.google syndication.com" using regex expressions or is there any other command I can use to delete the crap before the urlhost?

Thank you.

Labels (1)
0 Karma

Lu23
Observer

Thank you for your help. I tried that and it returned all fields with the aforementioned domain but it did not eliminate the alphanumeric characters before it.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share some examples of it not working?

0 Karma

Lu23
Observer

So, the url_host returns IP addresses and some important domain names that I need but a lot of the domain names have those alphanumeric characters attached to them. I don't want the alphanumeric characters to be returned as well. I just need the domain name.


 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is just a restatement of the problem, please can you give concrete examples of events that you have where the process provided is not giving you the results you want.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming your field is called field and that the "crap" contains no dots, try something like this

| rex mode=sed field=field "s/[^\.]+\.(?<x>.*$)/\\1/g"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...