Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: need rex help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
need rex help
in my event i want to extract TLD's
i want to extract:
com
news
tech
net
org
please help me with rex?
thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
URL Toolbox: https://splunkbase.splunk.com/app/2734/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
(?<TLD>\.\w+?)(?:$|\/)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rex field=your_field "(?<TLD>com|news|tech|net|org)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vikram1583,
Try this:
| rex "\w*\.(?<tld>[a-z]+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not working
hec? what is "TLD" you say?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share some raw data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vikram1583 What do your logs look like? Are you extracting from fields that already identified websites or email addresses or do you have a mess in your logs that you need to identify the pattern first and then the TLD? Are these URL's fully qualified, like https://www.example.com/, or are the more like example.com? Do they end at the TLD, or continue with parameters/directories/etc.? Details and a log sample will go a long way in people being able to help you efficiently.
If this reply helps you, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vikram1583 I maintain that this will go better with more details and a log sample. Please edit your question with a sample log (scrub for anything sensitive). Some of these proposed solutions aren't successful against patterns such as:
https://answers.splunk.com/answers/806969/need-rex-help.html (where the valid TLD is com)
www.example.wanggou (where the valid TLD would be wanggou)
etc.
If this reply helps you, an upvote would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
