Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

position of a character in a string

jrodriguezap
Contributor
‎09-25-2013 10:58 AM

Hello
I'm trying to do a substr to strings such as:

google-public-dns-b.google.com
cachewas.tdp.net.pe
b.resolvers.Level3.net

And give me back the following:

google.com
tdp.net.pe
Level3.net

I thought doing a substr(domain,(mvjoin(domain,"."))
But it turned out, that way it could be achieved?
I would appreciate your support.
Regards

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎09-25-2013 03:31 PM

I'm assuming that you have a field for that FQDN called 'hostname'. If that is not the field name, use what is the field name. If you don't have a field for the FQDN pre-defined, then the answer would be different. This answer assumes you want two levels of the domain name (as in google.com):

... | rex field=hostname "\.(?<s_domainname>\S+\.\S+)$"

View solution in original post

Reply
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎09-25-2013 03:31 PM

I'm assuming that you have a field for that FQDN called 'hostname'. If that is not the field name, use what is the field name. If you don't have a field for the FQDN pre-defined, then the answer would be different. This answer assumes you want two levels of the domain name (as in google.com):

... | rex field=hostname "\.(?<s_domainname>\S+\.\S+)$"
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎09-26-2013 11:46 AM

.co.uk 😞

I've thought about working on an app to build up the known TLDs in order to get a correct "domain" mapping, but I never got around to it.

0 Karma
Reply
Solved! Jump to solution

MonkeyK
Builder
‎11-21-2017 04:55 AM

old question, but i worked through a similar problem in
This question

Basically, you can use these to get at different subdomain levels

  | rex field=dest_hostname "(?P<ld2>[\w_-]+\.[\w_-]+)$" 
  | rex field=dest_hostname "(?P<ld3>[\w_-]+\.[\w_-]+\.[\w_-]+)$" 
  | rex field=dest_hostname "(?P<ld4>[\w_-]+\.[\w_-]+\.[\w_-]+\.[\w_-]+)$"
0 Karma
Reply
Solved! Jump to solution

jrodriguezap
Contributor
‎09-26-2013 11:43 AM

It's very good.
Thank you very much.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎09-25-2013 11:06 AM

How would you (and thus Splunk) know that the second domain is supposed to be transformed to "tdp.net.pe" and not just "net.pe"?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...