Extracting domain name out of a url

Question

I am trying to field extraction working for just domains accessed on my Ironport WSAs but am having an issue extracting just the domain piece out of a url.
For example, if I do a search by top s_hostname I get the following: 0.4.channel.facebook.com 0.52.channel.facebook.com 0.57.channel.facebook.com 0.chstatic.cvcdn.com 0.gvt0.com 0.media.dorkly.cvcdn.com 0.media.todaysbigthing.cvcdn.com 0.r.msn.com 0.tqn.com 0.track.ning.com I am trying to get a regex working to strip everything out to the left of the domain name so I would only see facebook.com and not 0.4.channel.facebook.com. I am not having any luck coming up with a regex to handle this.

Answer 1

2

Assuming you always want only two levels:

| rex field=s_hostname "\.(?<s_domainname>\S+\.\S+)$"

link

answered 16 Oct '10, 21:23

southeringtonp ♦
4.5k●1●2●15
accept rate: 35%

edited 17 Oct '10, 15:34

2

Probably a more efficient regex is: (?<s_domainname>[^\.\s]+\.[^\.\s]+)$ instead.

(17 Oct '10, 15:31) gkanapathy ♦

Extracting domain name out of a url

Follow this question

Splunk Resources

Related questions