how to matching URI in splunk

Question

There are some domain.
Host: random_doamin:8080
Host: random_domain/hello
Host: random_domain
Host: http://random_doamin:8080
Host: https://random_domain/hello

And This is query that I used for testing on splunk.

index=notable earliest=-1h | head 5
| eval domain1="Host: random_doamin:8080"
| eval domain2="Host: random_domain/hello"
| eval domain3="Host: random_domain"
| eval domain4="Host: http://random_doamin:8080"
| eval domain5="Host: https://random_domain/hello"
| eval isMalicious = mvappend('domain1', 'domain2', 'domain3', 'domain4', 'domain5')
| mvexpand isMalicious
| dedup isMalicious
| rex field=isMalicious "Host: (http://|https://)?(?<random_domain>.*(:|\/)?)" 
| table isMalicious random_domain

Here is the result for query.

What I want is extract only random_domain
If this is impossible then at least I want to extract like below
"random_domain:" or "random_domain/"

I need your help. Thanks in advance for you kind.

Answer 1

Use

Host: (?:https?://)?(?<random_domain>[^:/\s]+)

See proof.

Explanation

--------------------------------------------------------------------------------
  Host:                    'Host: '
--------------------------------------------------------------------------------
  (?:                      group, but do not capture (optional
                           (matching the most amount possible)):
--------------------------------------------------------------------------------
    http                     'http'
--------------------------------------------------------------------------------
    s?                       's' (optional (matching the most amount
                             possible))
--------------------------------------------------------------------------------
    ://                      '://'
--------------------------------------------------------------------------------
  )?                       end of grouping