Solved: how does splunk analyse URL？

crazyeva · ‎11-01-2012

for example：
x.company1.com
x.x.company2.com.cn
x.x.x.company3.cn
x.company4.co.jp
how to extract with rex those "companyn"s?
edit：
infact i face a problem that my expression tooks "com" as a company

gcoles · ‎11-02-2012

This can be difficult, since so many top level domains are possible. If you have a fixed list of tld's that are common in your result set, you could use a regex like this to extract the website name (eg, google) from an existing field (eg, referer😞

(?P< website>[^. ]*)\.(?:co[m]?|net|cn|ca)

(Note that the space in front of the field name, website, is only there because the forum code required them for parsing, remove them in your rex command and/or transforms). Example usage (with the extra space):

index=weblogs referer=* | rex field=referer "(?P< referer_website>[^. ]*)\.(?:co[m]?|net|cn|ca)" | top referer_website

View solution in original post

gcoles · ‎11-02-2012

This can be difficult, since so many top level domains are possible. If you have a fixed list of tld's that are common in your result set, you could use a regex like this to extract the website name (eg, google) from an existing field (eg, referer😞

(?P< website>[^. ]*)\.(?:co[m]?|net|cn|ca)

(Note that the space in front of the field name, website, is only there because the forum code required them for parsing, remove them in your rex command and/or transforms). Example usage (with the extra space):

index=weblogs referer=* | rex field=referer "(?P< referer_website>[^. ]*)\.(?:co[m]?|net|cn|ca)" | top referer_website

how does splunk analyse URL？

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!