for example:
x.company1.com
x.x.company2.com.cn
x.x.x.company3.cn
x.company4.co.jp
how to extract with rex those "companyn"s?
edit:
infact i face a problem that my expression tooks "com" as a company
This can be difficult, since so many top level domains are possible. If you have a fixed list of tld's that are common in your result set, you could use a regex like this to extract the website name (eg, google) from an existing field (eg, referer😞
(?P< website>[^. ]*)\.(?:co[m]?|net|cn|ca)
(Note that the space in front of the field name, website, is only there because the forum code required them for parsing, remove them in your rex
command and/or transforms). Example usage (with the extra space):
index=weblogs referer=* | rex field=referer "(?P< referer_website>[^. ]*)\.(?:co[m]?|net|cn|ca)" | top referer_website
This can be difficult, since so many top level domains are possible. If you have a fixed list of tld's that are common in your result set, you could use a regex like this to extract the website name (eg, google) from an existing field (eg, referer😞
(?P< website>[^. ]*)\.(?:co[m]?|net|cn|ca)
(Note that the space in front of the field name, website, is only there because the forum code required them for parsing, remove them in your rex
command and/or transforms). Example usage (with the extra space):
index=weblogs referer=* | rex field=referer "(?P< referer_website>[^. ]*)\.(?:co[m]?|net|cn|ca)" | top referer_website