This regexp seems to be doinf the job but I don't seem able to add it to the field extractor as it does not match while it does to me on other regexp tools:
([a-z0-9_\-]{1,5})?(:\/\/)?(([a-z0-9_\-]{1,})(:([a-z0-9_\-]{1,}))?\@)?((www\.)|([a-z0-9_\-]{1,}\.)+)?([a-z0-9_\-]{3,})\.([a-z]{2,4})(\/([a-z0-9_\-]{1,}\/)+)?([a-z0-9_\-]{1,})?(\.[a-z]{2,})?(\?)?(((\&)?[a-z0-9_\-]{1,}(\=[a-z0-9_\-]{1,})?)+)?
Removing the first part would also eliminate the "http://"
([a-z0-9_\-]{1,5})?(:\/\/)?(([a-z0-9_\-]{1,})(:([a-z0-9_\-]{1,}))?\@)?
It would be great for splunk to include an autodetection tool for this. In my case the interest comes to be able to add all traffic say to alsur.es (www.alsur.es, img1.alsur.es, cdn.alsur.es:77...) under one only count "alsur.es" or even say just "alsur"
... View more