Re: need rex help

vikram1583 · ‎03-01-2020

in my event i want to extract TLD's

i want to extract:
com
news
tech
net
org

please help me with rex?
thanks in advance

woodcock · ‎03-03-2020

URL Toolbox: https://splunkbase.splunk.com/app/2734/

sumanssah · ‎03-02-2020

Try this

(?<TLD>\.\w+?)(?:$|\/)

to4kawa · ‎03-02-2020

rex field=your_field "(?<TLD>com|news|tech|net|org)"

manjunathmeti · ‎03-02-2020

Hi @vikram1583,

Try this:

| rex "\w*\.(?<tld>[a-z]+)$"

vikram1583 · ‎03-02-2020

not working

to4kawa · ‎03-02-2020

not working
hec? what is "TLD" you say?

manjunathmeti · ‎03-02-2020

Please share some raw data.

efavreau · ‎03-02-2020

@vikram1583 What do your logs look like? Are you extracting from fields that already identified websites or email addresses or do you have a mess in your logs that you need to identify the pattern first and then the TLD? Are these URL's fully qualified, like https://www.example.com/, or are the more like example.com? Do they end at the TLD, or continue with parameters/directories/etc.? Details and a log sample will go a long way in people being able to help you efficiently.

###

If this reply helps you, an upvote would be appreciated.

efavreau · ‎03-02-2020

@vikram1583 I maintain that this will go better with more details and a log sample. Please edit your question with a sample log (scrub for anything sensitive). Some of these proposed solutions aren't successful against patterns such as:
https://answers.splunk.com/answers/806969/need-rex-help.html (where the valid TLD is com)
www.example.wanggou (where the valid TLD would be wanggou)
etc.

###

If this reply helps you, an upvote would be appreciated.

need rex help

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases