Solved: Re: how does splunk analyse URL？

crazyeva · ‎11-01-2012

for example：
x.company1.com
x.x.company2.com.cn
x.x.x.company3.cn
x.company4.co.jp
how to extract with rex those "companyn"s?
edit：
infact i face a problem that my expression tooks "com" as a company

gcoles · ‎11-02-2012

This can be difficult, since so many top level domains are possible. If you have a fixed list of tld's that are common in your result set, you could use a regex like this to extract the website name (eg, google) from an existing field (eg, referer😞

(?P< website>[^. ]*)\.(?:co[m]?|net|cn|ca)

(Note that the space in front of the field name, website, is only there because the forum code required them for parsing, remove them in your rex command and/or transforms). Example usage (with the extra space):

index=weblogs referer=* | rex field=referer "(?P< referer_website>[^. ]*)\.(?:co[m]?|net|cn|ca)" | top referer_website

View solution in original post

gcoles · ‎11-02-2012

This can be difficult, since so many top level domains are possible. If you have a fixed list of tld's that are common in your result set, you could use a regex like this to extract the website name (eg, google) from an existing field (eg, referer😞

(?P< website>[^. ]*)\.(?:co[m]?|net|cn|ca)

(Note that the space in front of the field name, website, is only there because the forum code required them for parsing, remove them in your rex command and/or transforms). Example usage (with the extra space):

index=weblogs referer=* | rex field=referer "(?P< referer_website>[^. ]*)\.(?:co[m]?|net|cn|ca)" | top referer_website

how does splunk analyse URL？

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!