Splunk Enterprise

What regex can I use to remove some fields from url_host?

Lu23
Observer

Hi everyone,
I'm very new here. I need support with extracting  this field,  "safeframe.googlesyndication.com"  from "ofc62fbe04078e8d3b0843298ad3421d.safeframe.google syndication.com" using regex expressions or is there any other command I can use to delete the crap before the urlhost?

Thank you.

Labels (1)
0 Karma

Lu23
Observer

Thank you for your help. I tried that and it returned all fields with the aforementioned domain but it did not eliminate the alphanumeric characters before it.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share some examples of it not working?

0 Karma

Lu23
Observer

So, the url_host returns IP addresses and some important domain names that I need but a lot of the domain names have those alphanumeric characters attached to them. I don't want the alphanumeric characters to be returned as well. I just need the domain name.


 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is just a restatement of the problem, please can you give concrete examples of events that you have where the process provided is not giving you the results you want.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming your field is called field and that the "crap" contains no dots, try something like this

| rex mode=sed field=field "s/[^\.]+\.(?<x>.*$)/\\1/g"
0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...