Solved: How to write a regular expression to extract the d...

kiran331 · ‎03-13-2017

Hi,

How to write a regular expression to use to extract the domain name from the dest_host, like extracting the last character before second "."
for example:
stg-ec-ore-u.uplynk.com
7.tlu.dl.delivery.mp.microsoft.com

stg-ec-norcal-u.microsoft.com

foxnews-f.akamaihd.net

cnnios-f.akamaihd.net

daarack02.vpg.cdn.yimg.com

redir.adap.tv

Required Output:
.uplynk.com
.microsoft.com

.akamaihd.net

.yimg.com
.adap.tv

somesoni2 · ‎03-13-2017

Try like this

Updated

your search | rex field=dest_host "(?<domain>\.[A-z0-9]+\.[A-z0-9]+)$"

View solution in original post

asimagu · ‎03-13-2017

try this:

rex field=dest_host "[^\.]+(?<domain>.+)"

somesoni2 · ‎03-13-2017

Try like this

Updated

your search | rex field=dest_host "(?<domain>\.[A-z0-9]+\.[A-z0-9]+)$"

kiran331 · ‎03-13-2017

I tried, its not working

somesoni2 · ‎03-13-2017

Missed a + sign at the end. Try the updated answer.

kiran331 · ‎03-13-2017

Thanks somesoni2! It worked, is there a way to remove . before domain name.

somesoni2 · ‎03-13-2017

Just remove the \. after <domain>. A more accurate version would be like this

your search | rex field=dest_host "\.(?<domain>[A-z0-9]+\.[A-z0-9]+)$"

How to write a regular expression to extract the domain name from dest_host field?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL