Solved: Extract a part of field

Olivier2024 · ‎02-20-2024

Hi all,

I'm trying to extract a part of a field. The field named Computer and is like MySrv.MyDomain.MySubDom1.com

MySubDom1 can exist or not.

I would like to extract everything after MySrv. I tried with index=MyIndex host=MySrv | rex field=_raw "(?<domaine_test>(\.\w+))"

The result create a new field Domain_test but it stores only the first part "MyDomain" and not the rest of the field.

How can I do this ?

For exemple :

Computer = "MySrv.MyDomain.MySubDom1.com"
Result : Domain_test = "MyDomain.MySubDom1.com"

ITWhisperer · ‎02-20-2024

| rex "\w+\.(?<domaine_test>[\.\w-]+)"

if the - is at the end of the character class [] it doesn't need to be escaped

ITWhisperer · ‎02-20-2024

| rex "\w+\.(?<domaine_test>[\.\w]+)"

Olivier2024 · ‎02-20-2024

Hi,

Thank you for your response.

I have some domain with "-" character, for exemple black-ice.com
The result is "black". Is it possible to get all domain ?

ITWhisperer · ‎02-20-2024

| rex "\w+\.(?<domaine_test>[\.\w-]+)"

if the - is at the end of the character class [] it doesn't need to be escaped

Olivier2024 · ‎02-20-2024

It works 🙂

Many thanks for your help !

Extract a part of field