Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

position of a character in a string

jrodriguezap
Contributor
‎09-25-2013 10:58 AM

Hello
I'm trying to do a substr to strings such as:

google-public-dns-b.google.com
cachewas.tdp.net.pe
b.resolvers.Level3.net

And give me back the following:

google.com
tdp.net.pe
Level3.net

I thought doing a substr(domain,(mvjoin(domain,"."))
But it turned out, that way it could be achieved?
I would appreciate your support.
Regards

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎09-25-2013 03:31 PM

I'm assuming that you have a field for that FQDN called 'hostname'. If that is not the field name, use what is the field name. If you don't have a field for the FQDN pre-defined, then the answer would be different. This answer assumes you want two levels of the domain name (as in google.com):

... | rex field=hostname "\.(?<s_domainname>\S+\.\S+)$"

View solution in original post

Reply
Solved! Jump to solution
Solution

wrangler2x
Motivator
‎09-25-2013 03:31 PM

I'm assuming that you have a field for that FQDN called 'hostname'. If that is not the field name, use what is the field name. If you don't have a field for the FQDN pre-defined, then the answer would be different. This answer assumes you want two levels of the domain name (as in google.com):

... | rex field=hostname "\.(?<s_domainname>\S+\.\S+)$"
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎09-26-2013 11:46 AM

.co.uk 😞

I've thought about working on an app to build up the known TLDs in order to get a correct "domain" mapping, but I never got around to it.

0 Karma
Reply
Solved! Jump to solution

MonkeyK
Builder
‎11-21-2017 04:55 AM

old question, but i worked through a similar problem in
This question

Basically, you can use these to get at different subdomain levels

  | rex field=dest_hostname "(?P<ld2>[\w_-]+\.[\w_-]+)$" 
  | rex field=dest_hostname "(?P<ld3>[\w_-]+\.[\w_-]+\.[\w_-]+)$" 
  | rex field=dest_hostname "(?P<ld4>[\w_-]+\.[\w_-]+\.[\w_-]+\.[\w_-]+)$"
0 Karma
Reply
Solved! Jump to solution

jrodriguezap
Contributor
‎09-26-2013 11:43 AM

It's very good.
Thank you very much.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎09-25-2013 11:06 AM

How would you (and thus Splunk) know that the second domain is supposed to be transformed to "tdp.net.pe" and not just "net.pe"?

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...