Solved: Re: How to write a regular expression to extract t...

kiran331 · ‎03-13-2017

Hi,

How to write a regular expression to use to extract the domain name from the dest_host, like extracting the last character before second "."
for example:
stg-ec-ore-u.uplynk.com
7.tlu.dl.delivery.mp.microsoft.com

stg-ec-norcal-u.microsoft.com

foxnews-f.akamaihd.net

cnnios-f.akamaihd.net

daarack02.vpg.cdn.yimg.com

redir.adap.tv

Required Output:
.uplynk.com
.microsoft.com

.akamaihd.net

.yimg.com
.adap.tv

somesoni2 · ‎03-13-2017

Try like this

Updated

your search | rex field=dest_host "(?<domain>\.[A-z0-9]+\.[A-z0-9]+)$"

View solution in original post

asimagu · ‎03-13-2017

try this:

rex field=dest_host "[^\.]+(?<domain>.+)"

somesoni2 · ‎03-13-2017

Try like this

Updated

your search | rex field=dest_host "(?<domain>\.[A-z0-9]+\.[A-z0-9]+)$"

kiran331 · ‎03-13-2017

I tried, its not working

somesoni2 · ‎03-13-2017

Missed a + sign at the end. Try the updated answer.

kiran331 · ‎03-13-2017

Thanks somesoni2! It worked, is there a way to remove . before domain name.

somesoni2 · ‎03-13-2017

Just remove the \. after <domain>. A more accurate version would be like this

your search | rex field=dest_host "\.(?<domain>[A-z0-9]+\.[A-z0-9]+)$"

How to write a regular expression to extract the domain name from dest_host field?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...