Solved: Re: how does splunk analyse URL？

crazyeva · ‎11-01-2012

for example：
x.company1.com
x.x.company2.com.cn
x.x.x.company3.cn
x.company4.co.jp
how to extract with rex those "companyn"s?
edit：
infact i face a problem that my expression tooks "com" as a company

gcoles · ‎11-02-2012

This can be difficult, since so many top level domains are possible. If you have a fixed list of tld's that are common in your result set, you could use a regex like this to extract the website name (eg, google) from an existing field (eg, referer😞

(?P< website>[^. ]*)\.(?:co[m]?|net|cn|ca)

(Note that the space in front of the field name, website, is only there because the forum code required them for parsing, remove them in your rex command and/or transforms). Example usage (with the extra space):

index=weblogs referer=* | rex field=referer "(?P< referer_website>[^. ]*)\.(?:co[m]?|net|cn|ca)" | top referer_website

View solution in original post

gcoles · ‎11-02-2012

This can be difficult, since so many top level domains are possible. If you have a fixed list of tld's that are common in your result set, you could use a regex like this to extract the website name (eg, google) from an existing field (eg, referer😞

(?P< website>[^. ]*)\.(?:co[m]?|net|cn|ca)

(Note that the space in front of the field name, website, is only there because the forum code required them for parsing, remove them in your rex command and/or transforms). Example usage (with the extra space):

index=weblogs referer=* | rex field=referer "(?P< referer_website>[^. ]*)\.(?:co[m]?|net|cn|ca)" | top referer_website

how does splunk analyse URL？

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!