topic Re: Extract data from URL string in Splunk Search https://community.splunk.com/t5/Splunk-Search/Extract-data-from-URL-string/m-p/419753#M120693 <P>Greetings @Vfinney,</P> <P>Please try the following run-anywhere search.</P> <PRE><CODE>| makeresults | eval _raw="7/30/19 1:29:52.000 PM Jul 30 13:29:52 10.140.24.233 Jul 30 13:29:52 Access_Logs_Splunk: Info: 1564511389.352 80 10.140.6.27 TCP_MISS/204 793 GET <A href="http://dmp.truoptik.com/239e300e6dca3b53/sync.gif?dm=ib.adnxs.com&amp;fck=6298473322644763945" target="test_blank">http://dmp.truoptik.com/239e300e6dca3b53/sync.gif?dm=ib.adnxs.com&amp;fck=6298473322644763945</A> \"DOL\sroth@KDOL_Web_Auth\" DIRECT/dmp.truoptik.com - DEFAULT_CASE_12-KDOL_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,-,-,\"-\",\"-\",\"-\",\"-\",\"-\",\"-\",79.30,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\"&gt; -" | append [ makeresults | eval _raw="7/30/19 1:29:42.000 PM Jul 30 13:29:42 10.140.24.233 Jul 30 13:29:42 Access_Logs_Splunk: Info: 1564511379.248 324 10.140.10.21 TCP_MISS/206 1587824 GET <A href="http://r14---sn-bvvbaxjpl.gvt1.com/edgedl/release2/chrome/AOnIEhGH7WaH0jVMgWzb_TU_76.0.3809.87/76.0.3809.87_75.0.3770.142_chrome_updater.exe?cms_redirect=yes&amp;mip=165.201.56.130&amp;mm=28&amp;mn=sn-bvvbax-hjpl&amp;ms=nvh&amp;mt=1564511187&amp;mv=m&amp;mvi=13&amp;nh=EAE&amp;pl=16&amp;shardbypass=yes" target="test_blank">http://r14---sn-bvvbaxjpl.gvt1.com/edgedl/release2/chrome/AOnIEhGH7WaH0jVMgWzb_TU_76.0.3809.87/76.0.3809.87_75.0.3770.142_chrome_updater.exe?cms_redirect=yes&amp;mip=165.201.56.130&amp;mm=28&amp;mn=sn-bvvbax-hjpl&amp;ms=nvh&amp;mt=1564511187&amp;mv=m&amp;mvi=13&amp;nh=EAE&amp;pl=16&amp;shardbypass=yes</A> \"DOL\dingels@KDOL_Web_Auth\" DIRECT/r14---sn-bvvbax-hjpl.gvt1.com application/octet-stream DEFAULT_CASE_12-KDOL_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,-,-,\"-\",\"-\",\"-\",\"-\",\"-\",\"-\",39205.53,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\"&gt; -" ] | append [ makeresults | eval _raw="7/30/19 1:33:50.000 PM Jul 30 13:33:50 10.140.24.234 Jul 30 13:33:50 Access_Logs_Splunk: Info: 1564511627.609 1779 10.140.4.14 TCP_MISS/200 3461685 GET <A href="http://workforce-ks.com/wp-content/uploads/2015/05/08.01.2019-One-Stop-Advisory-Council-Meeting-Packet.pdf" target="test_blank">http://workforce-ks.com/wp-content/uploads/2015/05/08.01.2019-One-Stop-Advisory-Council-Meeting-Packet.pdf</A> \"DOL\nstruckhoff@KDOL_Web_Auth\" DIRECT/workforce-ks.com application/pdf DEFAULT_CASE_12-Social_Media_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,-,-,\"-\",\"-\",\"-\",\"-\",\"-\",\"-\",15566.88,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\"&gt; -" ] | append [ makeresults | eval _raw="7/30/19 1:33:11.000 PM Jul 30 13:33:11 10.140.24.234 Jul 30 13:33:11 Access_Logs_Splunk: Info: 1564511588.080 44 10.140.4.104 TCP_MISS/200 35005 GET <A href="http://ts.intra.dol.ks.gov/Files/PDF/EmployeeRecognition.pdf" target="test_blank">http://ts.intra.dol.ks.gov/Files/PDF/EmployeeRecognition.pdf</A> \"DOL\njanco@KDOL_Web_Auth\" DIRECT/ts.intra.dol.ks.gov application/pdf DEFAULT_CASE_12-Social_Media_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,-,-,\"-\",\"-\",\"-\",\"-\",\"-\",\"-\",6364.55,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\"&gt; -" ] | rex field=_raw "GET (?&lt;Full_URL&gt;https?://[^\s]+)" | rex field=Full_URL "(?&lt;URL&gt;https?://[^/]+/)" | rex field=Full_URL "/(?&lt;Filename&gt;[^/]+)(?&lt;Filetype&gt;\.(gif|exe|pdf))\??" | table URL Filename Filetype </CODE></PRE> <P>These are the results:</P> <PRE><CODE>URL Filename Filetype <A href="http://dmp.truoptik.com/" target="test_blank">http://dmp.truoptik.com/</A> sync .gif <A href="http://r14---sn-bvvbaxjpl.gvt1.com/" target="test_blank">http://r14---sn-bvvbaxjpl.gvt1.com/</A> 76.0.3809.87_75.0.3770.142_chrome_updater .exe <A href="http://workforce-ks.com/" target="test_blank">http://workforce-ks.com/</A> 08.01.2019-One-Stop-Advisory-Council-Meeting-Packet .pdf <A href="http://ts.intra.dol.ks.gov/" target="test_blank">http://ts.intra.dol.ks.gov/</A> EmployeeRecognition .pdf </CODE></PRE> <P>Assumptions:<BR /> - URL is always preceded by "GET " and does not contain spaces.<BR /> - Filename does not contain spaces or "/" symbol<BR /> - Filetype is either <CODE>.gif</CODE>, <CODE>.exe</CODE>, or <CODE>.pdf</CODE>. You can add <CODE>|</CODE> and the new extension after <CODE>gif|exe|pdf</CODE> to add others.</P> Tue, 30 Jul 2019 19:36:33 GMT jacobpevans 2019-07-30T19:36:33Z Extract data from URL string https://community.splunk.com/t5/Splunk-Search/Extract-data-from-URL-string/m-p/419752#M120692 <P>I am trying to extract the file types, file names, and URLs from proxy logs for monitoring purposes. Here is what I'm looking for. Thanks in advance for any and all assistance. </P> <P>URL Filetype Filename<BR /> <A href="http://dmp.truoptik.com" target="_blank">http://dmp.truoptik.com</A> .gif sync<BR /> <A href="http://r14---sn-bvvbax" target="_blank">http://r14---sn-bvvbax</A> jpl.gvt1 .exe Chrome_updater<BR /> <A href="http://workforce-ks.com/" target="_blank">http://workforce-ks.com/</A> .pdf 2019-One-Stop-Advisory-Council-Meeting-Packet</P> <P>Proxy logs examples:<BR /> 7/30/19<BR /> 1:29:52.000 PM<BR /><BR /> Jul 30 13:29:52 10.140.24.233 Jul 30 13:29:52 Access_Logs_Splunk: Info: 1564511389.352 80 10.140.6.27 TCP_MISS/204 793 GET <A href="http://dmp.truoptik.com/239e300e6dca3b53/sync.gif?dm=ib.adnxs.com&amp;fck=6298473322644763945" target="_blank">http://dmp.truoptik.com/239e300e6dca3b53/sync.gif?dm=ib.adnxs.com&amp;fck=6298473322644763945</A> "DOL\sroth@KDOL_Web_Auth" DIRECT/dmp.truoptik.com - DEFAULT_CASE_12-KDOL_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",79.30,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"&gt; -</P> <P>7/30/19 1:29:42.000 PM Jul 30 13:29:42 10.140.24.233 Jul 30 13:29:42 Access_Logs_Splunk: Info: 1564511379.248 324 10.140.10.21 TCP_MISS/206 1587824 GET <A href="http://r14---sn-bvvbax" target="_blank">http://r14---sn-bvvbax</A> jpl.gvt1.com/edgedl/release2/chrome/AOnIEhGH7WaH0jVMgWzb_TU_76.0.3809.87/76.0.3809.87_75.0.3770.142_chrome_updater.exe?cms_redirect=yes&amp;mip=165.201.56.130&amp;mm=28&amp;mn=sn-bvvbax-hjpl&amp;ms=nvh&amp;mt=1564511187&amp;mv=m&amp;mvi=13&amp;nh=EAE&amp;pl=16&amp;shardbypass=yes "DOL\dingels@KDOL_Web_Auth" DIRECT/r14---sn-bvvbax-hjpl.gvt1.com application/octet-stream DEFAULT_CASE_12-KDOL_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",39205.53,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"&gt; -</P> <P>7/30/19<BR /> 1:33:50.000 PM<BR /><BR /> Jul 30 13:33:50 10.140.24.234 Jul 30 13:33:50 Access_Logs_Splunk: Info: 1564511627.609 1779 10.140.4.14 TCP_MISS/200 3461685 GET <A href="http://workforce-ks.com/wp-content/uploads/2015/05/08.01.2019-One-Stop-Advisory-Council-Meeting-Packet.pdf" target="_blank">http://workforce-ks.com/wp-content/uploads/2015/05/08.01.2019-One-Stop-Advisory-Council-Meeting-Packet.pdf</A> "DOL\nstruckhoff@KDOL_Web_Auth" DIRECT/workforce-ks.com application/pdf DEFAULT_CASE_12-Social_Media_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",15566.88,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"&gt; -</P> <P>7/30/19<BR /> 1:33:11.000 PM<BR /><BR /> Jul 30 13:33:11 10.140.24.234 Jul 30 13:33:11 Access_Logs_Splunk: Info: 1564511588.080 44 10.140.4.104 TCP_MISS/200 35005 GET <A href="http://ts.intra.dol.ks.gov/Files/PDF/EmployeeRecognition.pdf" target="_blank">http://ts.intra.dol.ks.gov/Files/PDF/EmployeeRecognition.pdf</A> "DOL\njanco@KDOL_Web_Auth" DIRECT/ts.intra.dol.ks.gov application/pdf DEFAULT_CASE_12-Social_Media_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",6364.55,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"&gt; -</P> Wed, 30 Sep 2020 01:32:20 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-URL-string/m-p/419752#M120692 Vfinney 2020-09-30T01:32:20Z Re: Extract data from URL string https://community.splunk.com/t5/Splunk-Search/Extract-data-from-URL-string/m-p/419753#M120693 <P>Greetings @Vfinney,</P> <P>Please try the following run-anywhere search.</P> <PRE><CODE>| makeresults | eval _raw="7/30/19 1:29:52.000 PM Jul 30 13:29:52 10.140.24.233 Jul 30 13:29:52 Access_Logs_Splunk: Info: 1564511389.352 80 10.140.6.27 TCP_MISS/204 793 GET <A href="http://dmp.truoptik.com/239e300e6dca3b53/sync.gif?dm=ib.adnxs.com&amp;fck=6298473322644763945" target="test_blank">http://dmp.truoptik.com/239e300e6dca3b53/sync.gif?dm=ib.adnxs.com&amp;fck=6298473322644763945</A> \"DOL\sroth@KDOL_Web_Auth\" DIRECT/dmp.truoptik.com - DEFAULT_CASE_12-KDOL_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,-,-,\"-\",\"-\",\"-\",\"-\",\"-\",\"-\",79.30,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\"&gt; -" | append [ makeresults | eval _raw="7/30/19 1:29:42.000 PM Jul 30 13:29:42 10.140.24.233 Jul 30 13:29:42 Access_Logs_Splunk: Info: 1564511379.248 324 10.140.10.21 TCP_MISS/206 1587824 GET <A href="http://r14---sn-bvvbaxjpl.gvt1.com/edgedl/release2/chrome/AOnIEhGH7WaH0jVMgWzb_TU_76.0.3809.87/76.0.3809.87_75.0.3770.142_chrome_updater.exe?cms_redirect=yes&amp;mip=165.201.56.130&amp;mm=28&amp;mn=sn-bvvbax-hjpl&amp;ms=nvh&amp;mt=1564511187&amp;mv=m&amp;mvi=13&amp;nh=EAE&amp;pl=16&amp;shardbypass=yes" target="test_blank">http://r14---sn-bvvbaxjpl.gvt1.com/edgedl/release2/chrome/AOnIEhGH7WaH0jVMgWzb_TU_76.0.3809.87/76.0.3809.87_75.0.3770.142_chrome_updater.exe?cms_redirect=yes&amp;mip=165.201.56.130&amp;mm=28&amp;mn=sn-bvvbax-hjpl&amp;ms=nvh&amp;mt=1564511187&amp;mv=m&amp;mvi=13&amp;nh=EAE&amp;pl=16&amp;shardbypass=yes</A> \"DOL\dingels@KDOL_Web_Auth\" DIRECT/r14---sn-bvvbax-hjpl.gvt1.com application/octet-stream DEFAULT_CASE_12-KDOL_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,-,-,\"-\",\"-\",\"-\",\"-\",\"-\",\"-\",39205.53,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\"&gt; -" ] | append [ makeresults | eval _raw="7/30/19 1:33:50.000 PM Jul 30 13:33:50 10.140.24.234 Jul 30 13:33:50 Access_Logs_Splunk: Info: 1564511627.609 1779 10.140.4.14 TCP_MISS/200 3461685 GET <A href="http://workforce-ks.com/wp-content/uploads/2015/05/08.01.2019-One-Stop-Advisory-Council-Meeting-Packet.pdf" target="test_blank">http://workforce-ks.com/wp-content/uploads/2015/05/08.01.2019-One-Stop-Advisory-Council-Meeting-Packet.pdf</A> \"DOL\nstruckhoff@KDOL_Web_Auth\" DIRECT/workforce-ks.com application/pdf DEFAULT_CASE_12-Social_Media_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,-,-,\"-\",\"-\",\"-\",\"-\",\"-\",\"-\",15566.88,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\"&gt; -" ] | append [ makeresults | eval _raw="7/30/19 1:33:11.000 PM Jul 30 13:33:11 10.140.24.234 Jul 30 13:33:11 Access_Logs_Splunk: Info: 1564511588.080 44 10.140.4.104 TCP_MISS/200 35005 GET <A href="http://ts.intra.dol.ks.gov/Files/PDF/EmployeeRecognition.pdf" target="test_blank">http://ts.intra.dol.ks.gov/Files/PDF/EmployeeRecognition.pdf</A> \"DOL\njanco@KDOL_Web_Auth\" DIRECT/ts.intra.dol.ks.gov application/pdf DEFAULT_CASE_12-Social_Media_Access_Policy-KDOL_Web_Identity-NONE-NONE-NONE-DefaultGroup &lt;-,-,-,\"-\",-,-,-,-,\"-\",-,-,-,\"-\",-,-,\"-\",\"-\",-,-,-,-,\"-\",\"-\",\"-\",\"-\",\"-\",\"-\",6364.55,0,-,\"-\",\"-\",-,\"-\",-,-,\"-\",\"-\",-,-,\"-\"&gt; -" ] | rex field=_raw "GET (?&lt;Full_URL&gt;https?://[^\s]+)" | rex field=Full_URL "(?&lt;URL&gt;https?://[^/]+/)" | rex field=Full_URL "/(?&lt;Filename&gt;[^/]+)(?&lt;Filetype&gt;\.(gif|exe|pdf))\??" | table URL Filename Filetype </CODE></PRE> <P>These are the results:</P> <PRE><CODE>URL Filename Filetype <A href="http://dmp.truoptik.com/" target="test_blank">http://dmp.truoptik.com/</A> sync .gif <A href="http://r14---sn-bvvbaxjpl.gvt1.com/" target="test_blank">http://r14---sn-bvvbaxjpl.gvt1.com/</A> 76.0.3809.87_75.0.3770.142_chrome_updater .exe <A href="http://workforce-ks.com/" target="test_blank">http://workforce-ks.com/</A> 08.01.2019-One-Stop-Advisory-Council-Meeting-Packet .pdf <A href="http://ts.intra.dol.ks.gov/" target="test_blank">http://ts.intra.dol.ks.gov/</A> EmployeeRecognition .pdf </CODE></PRE> <P>Assumptions:<BR /> - URL is always preceded by "GET " and does not contain spaces.<BR /> - Filename does not contain spaces or "/" symbol<BR /> - Filetype is either <CODE>.gif</CODE>, <CODE>.exe</CODE>, or <CODE>.pdf</CODE>. You can add <CODE>|</CODE> and the new extension after <CODE>gif|exe|pdf</CODE> to add others.</P> Tue, 30 Jul 2019 19:36:33 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-from-URL-string/m-p/419753#M120693 jacobpevans 2019-07-30T19:36:33Z