Solved: Regex in Playbook

chandraprathi · ‎08-03-2020

I have required where the CEF comes as URL and I need just a part of the URL to pass as input(ARTIFACT.CEF.URL) to action in Splunk phantom. I am using the phantom version 4.8. Can someone suggest me an idea on How I can just pass the part of the URL instead of the complete URL?

chandraprathi · ‎09-23-2020

yes @sam_splunk

View solution in original post

chandraprathi · ‎09-19-2020

Thank you for your reply @sam_splunk. I have fixed it by extracting the portion of the URL which I need and forgot to mention it here.

sam_splunk · ‎09-23-2020

Did you end up doing the extraction on the Splunk side?

chandraprathi · ‎09-23-2020

yes @sam_splunk

sam_splunk · ‎09-18-2020

So you've got an artifact (e.g. souceAddress = "https://www.somedomain.com") and you want to trim out a portion of it (e.g. somedomain.com) to make available for downstream blocks?

ikiransuryavans

^([A-Za-z0-9]\.|[A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9]\.){1,3}[A-Za-z]{2,6}$

Regex in Playbook

field extraction

regex

subsearch

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms