Splunk Search

How to extract part of a URL and create alert.

muqeeiz
Loves-to-Learn

Hi, 

I have the following log lines:

2023-08-23 06:27:13,551 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (executor-thread-70) replacing relative valid redirect with: https:// foo.com/admin/master/console/*

2023-08-23 06:28:04,446 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-70) Recalculated absoluteURI to https:// foo.com/admin/realms/master/users

and so on....

I need to create a query and extract "foo.com" from the url so I can create an alert anytime the url is  "bar.com"

 

Very new to splunk. so please bare with me. 

Thanks

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Getting the first part of the URL is pretty easy using rex.

| rex "https?:\/\/(?<domain>[^\/]+)"
| where domain="bar.com"

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @muqeeiz,

if you're sure that there's always https and a space after //, you culd use something like this:

| rex "https:\/\/\s*(?<url>[^\/]+)"

that you can check at https://regex101.com/r/VkelFS/1

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "https:\/\/(?<server>[^\/]+)"
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...