Re: Extract URL field in datamodel

user2020dy · ‎10-02-2020

Hello, guys

I`m trying to extract URL field from my log in Data Model (it is not extracted from _raw log and is not seen via index). I have found some variants in similar topics and added a new field (with regular expression) to Data Model. It does not cover 100% of my events, but it works.

However, I still don`t see this field when run the command

| from datamodel Network_Traffic

2 questions:

1) Can anyone answer me why the field is still not seen when whiting the search

| from datamodel Network)Traffic

Because the "Preview" tab shows the results and URLs are extracted

2) Maybe you know how I can extract the field URL directly from _raw event, because I`m confused with all answers which I saw about this topic before.

Tranks in advance

thambisetty · ‎10-02-2020

can you check your regex used to extract url once ?

apply same regex using rex command to see if that is working or not.

————————————
If this helps, give a like below.

user2020dy · ‎10-05-2020

yes, the search works fine, but if I add this rex to extract a field "URL" in datamodel, the new field doesn`t appear

Extract URL field in datamodel

count

field extraction

regex

rex

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?