Splunk Search

How to automatically extract domain from URL through conf files at search-time?

I have CSV inputs that include a URL field. I would like to extract the top level domain from that URL, and perform a passive reverse DNS lookup to obtain the IP address. Can this be accomplished from the conf files at search time?

Tags (5)


Go to menu Settings -> Fields -> Fields Extraction, click New and create your field extraction there. You should associate it to the sourcetype or source. Give it a name and use the same Regex there. Don't forget to set the permissions right, normally I use Scope: "App" and "Read" to everyone.

0 Karma


This will get you the domain. I can't help with the DNS lookup.

... | rex field=URL "https?:\/\/(?<domain>[^/]+)" | ...
If this reply helps you, an upvote would be appreciated.

I have a regex for extraction, but I would like to automate the process.

0 Karma