How to extract part of a URL and create alert.

muqeeiz · ‎08-24-2023

Hi,

I have the following log lines:

2023-08-23 06:27:13,551 DEBUG [org.keycloak.protocol.oidc.utils.RedirectUtils] (executor-thread-70) replacing relative valid redirect with: https:// foo.com/admin/master/console/*

2023-08-23 06:28:04,446 DEBUG [io.quarkus.vertx.http.runtime.ForwardedParser] (executor-thread-70) Recalculated absoluteURI to https:// foo.com/admin/realms/master/users

and so on....

I need to create a query and extract "foo.com" from the url so I can create an alert anytime the url is "bar.com"

Very new to splunk. so please bare with me.

Thanks

richgalloway · ‎08-24-2023

Getting the first part of the URL is pretty easy using rex.

| rex "https?:\/\/(?<domain>[^\/]+)"
| where domain="bar.com"

---
If this reply helps you, Karma would be appreciated.

gcusello · ‎08-24-2023

Hi @muqeeiz,

if you're sure that there's always https and a space after //, you culd use something like this:

| rex "https:\/\/\s*(?<url>[^\/]+)"

that you can check at https://regex101.com/r/VkelFS/1

Ciao.

Giuseppe

ITWhisperer · ‎08-24-2023

| rex "https:\/\/(?<server>[^\/]+)"

How to extract part of a URL and create alert.

field extraction

lookup

regex

rex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?