There's an App for that! The URL toolbox is my absolute fav but maybe URL Parse already does the trick?

Your SPL would look like this:

`method=GET| ut_parse(referer)`  

Make sure you use the back tick so Splunk knows you are calling a macro.

I ended up going with

\/\/(?:[^@\/\n]+@)?(?:www\.)?(?<refdomain>[^:\/\n]+)

Used it context it looks like

method=GET| rex field=referer "\/\/(?:[^@\/\n]+@)?(?:www\.)?(?<refdomain>[^:\/\n]+)"| stats values(refdomain)

See the extraction in action https://regex101.com/r/iVrIlL/1

To deal with all the various examples in this thread and all other possible cases such as new domains like .london, I think it will need something more than a reasonably short regex line.

I would probably go down the route of calling a Python script to deal with the cases to my satisfaction and being able to lay out the logic in a maintainable way. Maybe there is a splunk app or add-on that provides such functionality, if not, it could make a nice exercise to create one.

A few test cases:

conductor.io.com => io.com
support.expedia.co.uk => expedia.co.uk
0.52.channel.facebook.com => facebook.com
0.52.channel.facebook.london => facebook.london

Extraction can easily be done by some simple steps given at http://www.perlmonks.org/?node_id=670802. Various formulas are also available that can easily extract domain name from the URL using Regex who’s examples you can see at above site too. After reading if still some query remains unsolved feel free to ask..

This can also be even more efficient (if either com.br, com.pe, com.jo):

(?<_hostname>(\d{1,3}.\d{1,3}?|[^\.\s]+?)\.([^\.\s]{1,3}|[^\.\s]{1,3}\.[^\.\s]{1,3}))$

Assuming you always want only two levels:

| rex field=s_hostname "\.(?<s_domainname>\S+\.\S+)$"