So long as you have at least three segments to a fully-qualified domain name, this should work (without using a regular expression)
index=ndx sourcetype=srctp host=*
| makemv delim="." host
| eval piece=substr(mvindex(host,3),1,4)
...
makemv converts a field into a multivalue field based on the delim you instruct it to use
Then use eval to grab the third item in the list using mvindex, trimming it with substr
If you really want to use a regular expression, this will do it (again, presuming you have at least three pieces to the FQDN):
index=ndx sourcetype=srctp host=*
| rex field=host "\.[^\.]+\.(?<piece>[^\.]{4})"
...
from User warren – Stack Overflow https://stackoverflow.com/questions/71109953/extract-substring-from-splunk-string/71113221#71113221
via IFTTT