Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Make field reference after a certain value

LeandroKopke
Explorer
‎04-11-2019 07:30 AM

I have a query that has two native fields, they are "referenced_host" and "url".
I performed the extraction of the "referenced_host" field by naming it as the domain.
The problem is that the domain field comes empty whenever the URL field contains "HTTPS" values.

Example:

"Referenced_host" field value = ctldl.windowsupdate.com
Domain field value = ctldl.windowsupdate.com
URL field value = http://ctldl.windowsupdate.com/msdownload/update/v3/stati (...)

Example 2:

Referenced_host field value = null
Domain field value = null
URL field value = https://www.facebook.com

Would I have to make the domain field assume the value of the URL field, every time the URL field has values ​​beginning with "HTTPS"?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmarling
Builder
‎04-11-2019 10:41 AM

The referenced host field extraction should be this so you get both http and https prefixed domains:

| rex field=URL "https?:\/\/(?<domain>[^\/\s]+)"

The "s?" in the regular expression means match 1 or 0 times so if a "s" is present it will still proceed to where the domain is located on your url.

Here's a link to this picking up both domain's you listed as examples in regex101: https://regex101.com/r/aFKeoc/1

If this comment/answer was helpful, please up vote it. Thank you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dmarling
Builder
‎04-11-2019 10:41 AM

The referenced host field extraction should be this so you get both http and https prefixed domains:

| rex field=URL "https?:\/\/(?<domain>[^\/\s]+)"

The "s?" in the regular expression means match 1 or 0 times so if a "s" is present it will still proceed to where the domain is located on your url.

Here's a link to this picking up both domain's you listed as examples in regex101: https://regex101.com/r/aFKeoc/1

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2019 07:56 AM

How are you extracting the referenced_host field? You probably need to modify the extraction to recognize 'https'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

LeandroKopke
Explorer
‎04-11-2019 08:20 AM

Extraction of the domain field was done based on the referenced_host field.
It turns out that every time the URL field comes with "HTTPS" the referenced_host field is empty, making the domain field also empty.
I need every time the URL field has values ​​with "HTTPS" the domain field assumes this value and every time the URL field comes with "HTTP" values ​​the domain field assumes the values ​​of the referenced_host field.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...