Split the address field with regular

WXY · ‎11-06-2018

I want to use rex to get a field value.
Now I have a field named URL
Some data such as :

http://10.2.3.44:8080
http://1.3.2.55:8011/Login.aspx
https://wwx.ff-ac.com/login
https://192.443.67.91:8044/bs_y/index.jsp
http://rr-ww.ff-ac.com/rr_platform_ww/ayyu
 https://t.ff-ac.com/ipi/IP_A/login.do?p=I_log

But I just want to get such as

http://10.2.3.44:8080
 http://1.3.2.55:8011
 https://wwx.ff-ac.com
 https://192.443.8.91:8044
 http://rr-ww.ff-ac.com
 https://t.ff-ac.com

The above data is written randomly according to my data.

That is to say I only hope to get [http|https]://IP:port OR [http|https]://domain

What should I do?

gokadroid · ‎11-06-2018

Lets say your url data is in field called URL then you can try below to get the required data in a field called myRequiredData:

your query to return URL field
| rex field=URL "(?<myRequiredData>(http(s)*:\/\/)[^\/\s]+)"
| table URL, myRequiredData

See the regex reference here

Split the address field with regular

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Split the address field with regular

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future