Splunk Search
Highlighted

TLD Extraction for Report

Explorer

I'm looking at creating a report that extracts suspicious TLDS over a period of time such as, as past six hours, or past twelve hours etc. Some of the TLD that I want to look at would be .ru, .ua or double like .rr.nu or cz.cc.

I'm looking for a good way to extract the TLD from the URL and display that in a chart. I've seen a few regex's floating around but haven't had much luck modifying them into what I want to do.

Thanks in advance

Tags (2)
Highlighted

Re: TLD Extraction for Report

Engager

Looking for the same answer to this too.

0 Karma
Highlighted

Re: TLD Extraction for Report

Loves-to-Learn

Does anyone have the answer for this question? I'm looking for the same thing.

0 Karma
Highlighted

Re: TLD Extraction for Report

Explorer

I am trying to use a erex with several examples to do the same thing.
http://docs.splunk.com/Documentation/Splunk/4.1.5/SearchReference/Erex

0 Karma
Highlighted

Re: TLD Extraction for Report

Explorer

Try using this regex | rex "(?i)(?P.\w+)\d+.\w+\s+\d+\s+(?:/[^/]*){4}"

0 Karma