What regex can I use to remove some fields from ur...

Lu23 · ‎01-19-2023

Hi everyone,
I'm very new here. I need support with extracting this field, "safeframe.googlesyndication.com" from "ofc62fbe04078e8d3b0843298ad3421d.safeframe.google syndication.com" using regex expressions or is there any other command I can use to delete the crap before the urlhost?

Thank you.

Lu23 · ‎01-20-2023

Thank you for your help. I tried that and it returned all fields with the aforementioned domain but it did not eliminate the alphanumeric characters before it.

ITWhisperer · ‎01-20-2023

Can you share some examples of it not working?

Lu23 · ‎01-20-2023

So, the url_host returns IP addresses and some important domain names that I need but a lot of the domain names have those alphanumeric characters attached to them. I don't want the alphanumeric characters to be returned as well. I just need the domain name.

ITWhisperer · ‎01-20-2023

This is just a restatement of the problem, please can you give concrete examples of events that you have where the process provided is not giving you the results you want.

ITWhisperer · ‎01-19-2023

Assuming your field is called field and that the "crap" contains no dots, try something like this

| rex mode=sed field=field "s/[^\.]+\.(?<x>.*$)/\\1/g"

What regex can I use to remove some fields from url_host?

using Splunk Enterprise

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies