Re: How to trim away the port and use only URL aft...

kiran331 · ‎02-12-2018

Hi,

I have a field with values URL and port, how to trim away the port and only use URL?
For example,

abc.net:9090
abc.bb23.org:8081

required output:

abc.net
abc.bb23.org

mayurr98 · ‎02-12-2018

hey try this run anywhere search

| makeresults 
| eval data="abc.net:9090 abc.bb23.org:8081" 
| makemv data 
| mvexpand data 
| rex field=data "^(?P<URL>[^\:]+)\:"

In your environment, you should write

<your_base_search> | rex field=<field_name>  "^(?P<URL>[^\:]+)\:"

let me know if this helps!

richgalloway · ‎02-12-2018

One way is with rex.

... | rex field=foo "(?<URL>[^:]+)" | ...

---
If this reply helps you, Karma would be appreciated.

supabuck · ‎02-12-2018

Hello,

You want to use a regular expression to complete this.

If your field is called ipaddr the following code would apply. Replace the word ipaddr with whatever field you have which captures the IP address.

index=foo sourcetype=bar | rex field=ipaddr "(?P<ipaddr>.*):"

This returns everything before the : and places it in the field called ipaddr.

Let me know if this works.

Thank you,
Supabuck

How to trim away the port and use only URL after ":"?