Splunk Search

need rex help

vikram1583
Explorer

in my event i want to extract TLD's

i want to extract:
com
news
tech
net
org

please help me with rex?
thanks in advance

Tags (2)
0 Karma

woodcock
Esteemed Legend
0 Karma

sumanssah
Communicator

Try this

(?<TLD>\.\w+?)(?:$|\/)
0 Karma

to4kawa
Ultra Champion
rex field=your_field "(?<TLD>com|news|tech|net|org)"
0 Karma

manjunathmeti
Champion

Hi @vikram1583,

Try this:

| rex "\w*\.(?<tld>[a-z]+)$" 
0 Karma

vikram1583
Explorer

not working

0 Karma

to4kawa
Ultra Champion

not working
hec? what is "TLD" you say?

0 Karma

manjunathmeti
Champion

Please share some raw data.

0 Karma

efavreau
Motivator

@vikram1583 What do your logs look like? Are you extracting from fields that already identified websites or email addresses or do you have a mess in your logs that you need to identify the pattern first and then the TLD? Are these URL's fully qualified, like https://www.example.com/, or are the more like example.com? Do they end at the TLD, or continue with parameters/directories/etc.? Details and a log sample will go a long way in people being able to help you efficiently.

###

If this reply helps you, an upvote would be appreciated.
0 Karma

efavreau
Motivator

@vikram1583 I maintain that this will go better with more details and a log sample. Please edit your question with a sample log (scrub for anything sensitive). Some of these proposed solutions aren't successful against patterns such as:
https://answers.splunk.com/answers/806969/need-rex-help.html (where the valid TLD is com)
www.example.wanggou (where the valid TLD would be wanggou)
etc.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...