Hello, Suppose I've got the following url among lot of others : (logs come from something close to Squid but not indexed properly by Splunk) nav.smartscreen.microsoft.com:443 https://www.francebleu.fr/img/antenne.svg http://frplab.com:37566/sdhjkzui1782109zkjeznds http://192.168.120.25:25 https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_175%2Cw_300%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd46af9fc9a462b0904026156648340b7.jpg I wish I could extract the port number when ther is one. I saw a lot a similar cases on Splunk Answers but the url formating was less varaible than mine. The only way to achieve my aim was to use the following SPL: index=* sourcetype=syslog | rex field=url "(http|https)?[^\:]+\:(?<port>[^\/]+)" | eval monport = if(isint(port), port, 0) | top monport Is there a more elegant way to to ?
... View more