topic Extract string between 2 string in Splunk Search

Extract string between 2 string

serviceinfrastr — Thu, 23 Aug 2018 12:07:49 GMT

Hi Community,

I have a question about regex and extraction

I want to extract only the string between /var/log/nginx/access_ and .log

I already tried many regex en mod=sed but i don't find the right regex.

Can you help me ?

Many thanks

Re: Extract string between 2 string

renjith_nair — Thu, 23 Aug 2018 13:08:38 GMT

@serviceinfrastructure,

Try

 |rex  field=URL "^/\w+/\w+/\w+/\w+_(?P<my_string>[^\.]+)"|table my_string

Re: Extract string between 2 string

sudosplunk — Thu, 23 Aug 2018 13:10:57 GMT

Try this. Add this to your search,

search...| rex field=source "\/var\/log\/nginx\/access\_(?<string>\S+)\.log" | table string

Tested regex here.

Re: Extract string between 2 string

richgalloway — Thu, 23 Aug 2018 13:12:26 GMT

If you just need to extract a string then you don't need sed as that is for modifying strings.
Try this:

host=dnginx* NOT source="/var/log/nginx/access.log" NOT source="/var/log/nginx/error.log" | rex field=source "access_(?<string>[^\.]+)" | chart count by string | rename url_short as URL

Re: Extract string between 2 string

sudosplunk — Thu, 23 Aug 2018 13:20:23 GMT

@serviceinfrastructure ,

You can use regex given by @richgalloway, as it takes, 13 steps to match the pattern and mine takes 38 steps. However, if you have many sources with access_ in the value, then you might want to be more specific in defining regex.

Re: Extract string between 2 string

mstjohn_splunk — Thu, 23 Aug 2018 21:38:15 GMT

Hi @serviceinfrastructure - Did your answer provide a working solution to your question? If yes, don't forget to click "Accept" to close out your question so that others can easily find it if they are having the same issue. Thanks!