Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- need rex help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
need rex help
in my event i want to extract TLD's
i want to extract:
com
news
tech
net
org
please help me with rex?
thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
URL Toolbox: https://splunkbase.splunk.com/app/2734/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
(?<TLD>\.\w+?)(?:$|\/)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rex field=your_field "(?<TLD>com|news|tech|net|org)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vikram1583,
Try this:
| rex "\w*\.(?<tld>[a-z]+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not working
hec? what is "TLD" you say?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share some raw data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vikram1583 What do your logs look like? Are you extracting from fields that already identified websites or email addresses or do you have a mess in your logs that you need to identify the pattern first and then the TLD? Are these URL's fully qualified, like https://www.example.com/, or are the more like example.com? Do they end at the TLD, or continue with parameters/directories/etc.? Details and a log sample will go a long way in people being able to help you efficiently.
If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vikram1583 I maintain that this will go better with more details and a log sample. Please edit your question with a sample log (scrub for anything sensitive). Some of these proposed solutions aren't successful against patterns such as:
https://answers.splunk.com/answers/806969/need-rex-help.html (where the valid TLD is com)
www.example.wanggou (where the valid TLD would be wanggou)
etc.
If this reply helps you, an upvote would be appreciated.
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
