https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368070#M108495 <P>Nothing backwards about it. We want a chunk that occurs between a slash <CODE>"/"</CODE> and the letters <CODE>" HTTP"</CODE>. We want to make sure not to match the space <CODE>\s</CODE> or any other slashes <CODE>\/</CODE>.</P> <P>Thus, we create a character type that matches anything but slash or whitespace <CODE>[^\/\s]</CODE>, and capture however many of them there are, (but minimum one <CODE>+</CODE>) between our endpoints.</P> <PRE><CODE> | rex "\/(?&lt;mymatch&gt;[^\/\s]+)\sHTTP" </CODE></PRE> <P>Voila.</P> Wed, 27 Sep 2017 23:49:16 GMT DalJeanis 2017-09-27T23:49:16Z https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368069#M108494 <P>Hi,</P> <P>I have this data</P> <P>10.210.192.15 - - [26/Sep/2017:19:59:59 -0400] "POST /rest/icontrol/sites/315568/network/instances/100876ffe9572a.0/functions/disarm HTTP/1.1" 202 9 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60" "</P> <P>10.210.192.5 - - [26/Sep/2017:19:59:59 -0400] "POST /rest/icontrol/sites/4793/network/instances/140024460000052928.10.0/functions/thermostatStatus HTTP/1.1" 202 9 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60" "-" "-"</P> <P>6:59:59.000 PM<BR /><BR /> 10.210.192.15 - - [26/Sep/2017:19:59:59 -0400] "GET /rest/icontrol/sites/4793/network/lights/getAllLightingStatus HTTP/1.1" 202 9 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60" "-" "-"</P> <P>And I think I need to do a backwards match (unless there is a better way). I need to match</P> <P>disarm in the first event<BR /> thermostatStatus in the second event<BR /> getAllLightingStatus in the third event</P> <P>I'm ok with regex but trying to wrap my mind around how to search backwards throws me for a loop!</P> Tue, 29 Sep 2020 16:02:41 GMT https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368069#M108494 dbcase 2020-09-29T16:02:41Z https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368070#M108495 <P>Nothing backwards about it. We want a chunk that occurs between a slash <CODE>"/"</CODE> and the letters <CODE>" HTTP"</CODE>. We want to make sure not to match the space <CODE>\s</CODE> or any other slashes <CODE>\/</CODE>.</P> <P>Thus, we create a character type that matches anything but slash or whitespace <CODE>[^\/\s]</CODE>, and capture however many of them there are, (but minimum one <CODE>+</CODE>) between our endpoints.</P> <PRE><CODE> | rex "\/(?&lt;mymatch&gt;[^\/\s]+)\sHTTP" </CODE></PRE> <P>Voila.</P> Wed, 27 Sep 2017 23:49:16 GMT https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368070#M108495 DalJeanis 2017-09-27T23:49:16Z https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368071#M108496 <P>wow, that is pretty slick</P> Thu, 28 Sep 2017 15:22:22 GMT https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368071#M108496 dbcase 2017-09-28T15:22:22Z https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368072#M108497 <P>@dbcase - It's all in learning how to look at it. Sometimes you just have to take three steps back. Sometimes you have to cross your eyes. Sometimes you have to get out a chainsaw and cut a wall out of the way. <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 28 Sep 2017 16:27:16 GMT https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368072#M108497 DalJeanis 2017-09-28T16:27:16Z https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368073#M108498 <P>I can't wait to use the chainsaw! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 28 Sep 2017 23:01:39 GMT https://community.splunk.com/t5/Splunk-Search/Another-regex/m-p/368073#M108498 dbcase 2017-09-28T23:01:39Z