Splunk Search

Extract URL field in datamodel

user2020dy
Path Finder

Hello, guys

I`m trying to extract URL field from my log in Data Model (it is not extracted from _raw log and is not seen via index). I have found some variants in similar topics and added a new field (with regular expression) to Data Model. It does not cover 100% of my events, but it works.

photo5456289228813086673.jpg

However, I still don`t see this field when run the command

| from datamodel Network_Traffic

photo5456289228813086675.jpg

2 questions:

 

1) Can anyone answer me why the field is still not seen when whiting the search

| from datamodel Network)Traffic

Because the "Preview" tab shows the results and URLs are extracted 

 

2) Maybe you know how I can extract the field URL directly from _raw event, because I`m confused with all answers which I saw about this topic before.

 

Tranks in advance

Labels (4)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

can you check your regex used to extract url once ?

apply same regex using rex command to see if that is working or not.

————————————
If this helps, give a like below.

user2020dy
Path Finder

yes, the search works fine, but if I add this rex to extract a field "URL" in datamodel, the new  field doesn`t appear

user2020dy_0-1601888232391.png

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...