Solved: Regex in Playbook

chandraprathi · ‎08-03-2020

I have required where the CEF comes as URL and I need just a part of the URL to pass as input(ARTIFACT.CEF.URL) to action in Splunk phantom. I am using the phantom version 4.8. Can someone suggest me an idea on How I can just pass the part of the URL instead of the complete URL?

chandraprathi · ‎09-23-2020

yes @sam_splunk

View solution in original post

chandraprathi · ‎09-19-2020

Thank you for your reply @sam_splunk. I have fixed it by extracting the portion of the URL which I need and forgot to mention it here.

sam_splunk · ‎09-23-2020

Did you end up doing the extraction on the Splunk side?

chandraprathi · ‎09-23-2020

yes @sam_splunk

sam_splunk · ‎09-18-2020

So you've got an artifact (e.g. souceAddress = "https://www.somedomain.com") and you want to trim out a portion of it (e.g. somedomain.com) to make available for downstream blocks?

ikiransuryavans · ‎03-27-2024

^([A-Za-z0-9]\.|[A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9]\.){1,3}[A-Za-z]{2,6}$

Regex in Playbook

field extraction

regex

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation