How to extract a field that is within an already e...

krishnacasso · ‎02-04-2017

Hi Ninja

I've done a field extraction for apache access log like Referer.

Referer= http(s)://FQDN/Abc/dasd/sadfasf/

Now I am trying to get only FQDN from the referer but field extractions is not allowing me to do this since that FQDN is already in a field I extracted.

I want to create a table with count of unique FQDN

Application               Count
FQDN1                       4
FQDN2                       30

Thanks.

woodcock · ‎02-21-2017

Check out these great apps:

URL Parser: https://splunkbase.splunk.com/app/1545/
URL Toolbox: https://splunkbase.splunk.com/app/2734/
URL Expander (what is that tinyurl?): https://splunkbase.splunk.com/app/3460/

gokadroid · ‎02-04-2017

If you are happy to extract it in SPL (same regex can be used elsewhere like field extractor) then try to see if this works for you:

your base query to give field Referer
| rex field=Referer "https?:\/\/(?<FQDN>[^\/]+)\/.*"
| stats count by FQDN

See extraction here

How to extract a field that is within an already extracted field?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Are you a member of the Splunk Community?

How to extract a field that is within an already extracted field?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025