Solved: Regex in Playbook

chandraprathi · ‎08-03-2020

I have required where the CEF comes as URL and I need just a part of the URL to pass as input(ARTIFACT.CEF.URL) to action in Splunk phantom. I am using the phantom version 4.8. Can someone suggest me an idea on How I can just pass the part of the URL instead of the complete URL?

chandraprathi · ‎09-23-2020

yes @sam_splunk

View solution in original post

chandraprathi · ‎09-19-2020

Thank you for your reply @sam_splunk. I have fixed it by extracting the portion of the URL which I need and forgot to mention it here.

sam_splunk · ‎09-23-2020

Did you end up doing the extraction on the Splunk side?

chandraprathi · ‎09-23-2020

yes @sam_splunk

sam_splunk · ‎09-18-2020

So you've got an artifact (e.g. souceAddress = "https://www.somedomain.com") and you want to trim out a portion of it (e.g. somedomain.com) to make available for downstream blocks?

Regex in Playbook

field extraction

regex

subsearch

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?