I cannot find a working example of this anywhere. I can find examples a mile long on google, but am having trouble actually assigning them to a variable in Splunk.
I got what I needed using the following:
|rex field=_raw "(?(https?:\/\/([-\w\.]+)+(:\d+)?))"
View solution in original post
Try this, for 3 capturing groups. You can name each group, if desired.
... | rex "https?:\/\/([^\.]+)\.([^\.]+)\.([^\/]+)"
Need a sample log entry
http or https then :// then anything up to . then anything up to . then anything up to first /
