I cannot find a working example of this anywhere. I can find examples a mile long on google, but am having trouble actually assigning them to a variable in Splunk.
I got what I needed using the following:
|rex field=_raw "(?(https?:\/\/([-\w\.]+)+(:\d+)?))"
I got what I needed using the following:
|rex field=_raw "(?(https?:\/\/([-\w\.]+)+(:\d+)?))"
Try this, for 3 capturing groups. You can name each group, if desired.
... | rex "https?:\/\/([^\.]+)\.([^\.]+)\.([^\/]+)"
Need a sample log entry
http or https
then ://
then anything up to .
then anything up to .
then anything up to first /