How to extract part of a URL and create alert.

muqeeiz · ‎08-24-2023

Hi,

I have the following log lines:

2023-08-23 06:27:13,551 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (executor-thread-70) replacing relative valid redirect with: https:// foo.com/admin/master/console/*

2023-08-23 06:28:04,446 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-70) Recalculated absoluteURI to https:// foo.com/admin/realms/master/users

and so on....

I need to create a query and extract "foo.com" from the url so I can create an alert anytime the url is "bar.com"

Very new to splunk. so please bare with me.

Thanks

richgalloway · ‎08-24-2023

Getting the first part of the URL is pretty easy using rex.

| rex "https?:\/\/(?<domain>[^\/]+)"
| where domain="bar.com"

---
If this reply helps you, Karma would be appreciated.

gcusello · ‎08-24-2023

Hi @muqeeiz,

if you're sure that there's always https and a space after //, you culd use something like this:

| rex "https:\/\/\s*(?<url>[^\/]+)"

that you can check at https://regex101.com/r/VkelFS/1

Ciao.

Giuseppe

ITWhisperer · ‎08-24-2023

| rex "https:\/\/(?<server>[^\/]+)"

How to extract part of a URL and create alert.

field extraction

lookup

regex

rex

Get Operational Insights Quickly with Natural Language on the Splunk Platform

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Are you a member of the Splunk Community?

How to extract part of a URL and create alert.

field extraction

lookup

regex

rex

Get Operational Insights Quickly with Natural Language on the Splunk Platform

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...