Solved: Can someone help with regex to extract new field?

pacifiquen · ‎04-04-2023

Hello Team,

can anyone help me with the extraction of new field

input: site: mclaudelinemugasqiln.platinilemu.com:1227

site is a field

domain is mclaudelinemugasqiln.platinilemu.com:1227

i want this output: mclaudelinemugasqiln.platinilemu.com:1227

Thank you

bowesmana · ‎04-04-2023

Here's an example - is this what you are after with the rex statement?

| makeresults
| eval site="site: mclaudelinemugasqiln.platinilemu.com:1227"
| rex field=site "site:\s?(?<domain>.*)"

This assumes that the site field contains that entire string, i.e. "site: xxx" where xxx is the domain you want to extract.

This creates a new field called domain.

VatsalJagani · ‎04-06-2023

@pacifiquen - Use the below command within your search:

| rex field=input "site:\s*(?<domain>^\s+)"

I hope this helps!!!

woodcock · ‎04-06-2023

... | rename site AS domain | table domain

bowesmana · ‎04-04-2023

Here's an example - is this what you are after with the rex statement?

| makeresults
| eval site="site: mclaudelinemugasqiln.platinilemu.com:1227"
| rex field=site "site:\s?(?<domain>.*)"

This assumes that the site field contains that entire string, i.e. "site: xxx" where xxx is the domain you want to extract.

This creates a new field called domain.

Can someone help with regex to extract new field?