Splunk Search

How to extract the domain field from the URL ?

ranjyotiprakash
Communicator

I want to extract the domain from the URL field present in my logs.
The URL fields are kind of
1 99.99.115.10/.aaa_dap.html

2 99.99.115.10/.index.html

3 99.99.115.10/aaa_dap.html?name=/*
4 99.99.115.10/aaa_dap/.html
5 **99.99.115.10
/index.html?name=/
6 99.99.115.10/index/.html

7 *
[fed0:9999::1151]/.aaa_dap.html
8 **[fed0:9999::1151]
/.index.html

9 [fed0:9999::1151]/aaa_dap.html?name=/*

10 [fed0:9999::1151]/aaa_dap/.html

11 *
[fed0:9999::1151]/index.html?name=/*

12 **[fed0:9999::1151]
/index/.html

13 **fed0:9999::1151
/name?nameee=/
14 my.domain.com/index.html
15 you.mydomain.org/home.html

I want to extract the bold letters. how to do this?

Thanks...

0 Karma
1 Solution

Mahieu
Communicator

You could also use the "Field Extractor" app if it gets really specific.

View solution in original post

Mahieu
Communicator

You could also use the "Field Extractor" app if it gets really specific.

Lamar
Splunk Employee
Splunk Employee

As I don't really know what your entire log looks like, I'll just write the expression that fits for the data you've provided.

^\d+\s+([^/]+)\/
0 Karma

Lamar
Splunk Employee
Splunk Employee

Also, you might think about using the field extraction mechanics inside the UI. It's very helpful when trying to figure out tricky expressions.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...