Hi,
How to write a regular expression to use to extract the domain name from the dest_host, like extracting the last character before second "."
for example:
stg-ec-ore-u.uplynk.com
7.tlu.dl.delivery.mp.microsoft.com
stg-ec-norcal-u.microsoft.com
foxnews-f.akamaihd.net
cnnios-f.akamaihd.net
daarack02.vpg.cdn.yimg.com
redir.adap.tv
Required Output:
.uplynk.com
.microsoft.com
.akamaihd.net
.yimg.com
.adap.tv
Try like this
Updated
your search | rex field=dest_host "(?<domain>\.[A-z0-9]+\.[A-z0-9]+)$"
try this:
rex field=dest_host "[^\.]+(?<domain>.+)"
Try like this
Updated
your search | rex field=dest_host "(?<domain>\.[A-z0-9]+\.[A-z0-9]+)$"
I tried, its not working
Missed a + sign at the end. Try the updated answer.
Thanks somesoni2! It worked, is there a way to remove . before domain name.
Just remove the \.
after <domain>
. A more accurate version would be like this
your search | rex field=dest_host "\.(?<domain>[A-z0-9]+\.[A-z0-9]+)$"