https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256199#M175816 <P>I got my problem ...<BR /> The logs I was trying to parse was Internet access logs.<BR /> I was trying to separate the Mime Type field precalculated which was formed like this:<BR /> mt=video/mp4 for example.</P> <P>My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"| </P> <P>And ... I discover that some logs include in the URL the "mime" value ...<BR /> So the treatment I was trying to do was also based on this value ...</P> <P>I've corrected the name of the extracted field and it's working fine ...</P> <P>Thanks a lot for your help !!!!</P> Fri, 27 Jan 2017 16:08:40 GMT Keyrl 2017-01-27T16:08:40Z https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256193#M175810 <P>Hi,</P> <P>I'm trying to extract to fields from a precalculated field and so far I've trouble with the forward slash character.<BR /> My field is formed like this:</P> <P>FieldGlobal=Field1/Field2</P> <P>I've tried the following : rex field=FieldGloba "(?[a-zA-Z0-9]+)\/(?[a-zA-Z0-9]+)"</P> <P>So far, it works for a lot of logs but for some, it gave something like:</P> <P>FieldExtracted1=Field1%2fField2</P> <P>Do you know how to work with that ?</P> <P>Regards</P> Fri, 27 Jan 2017 15:04:08 GMT https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256193#M175810 Keyrl 2017-01-27T15:04:08Z https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256194#M175811 <P>Give this a try</P> <PRE><CODE>your base search | rex field=FieldGloba "(?&lt;FieldExtracted1&gt;[^\/]+)\/(?&lt;FieldExtracted1&gt;.+)" </CODE></PRE> Fri, 27 Jan 2017 15:35:08 GMT https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256194#M175811 somesoni2 2017-01-27T15:35:08Z https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256195#M175812 <P>Thanks for your help !</P> <P>Same result apparently. I still have the "/" character that seems to be converted as %2F in some logs ...</P> Fri, 27 Jan 2017 15:40:38 GMT https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256195#M175812 Keyrl 2017-01-27T15:40:38Z https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256196#M175813 <P>I guess the raw data itself contains the that forwarder slash converted to %2F. So how about this?</P> <PRE><CODE>your base search | rex field=FieldGloba "(?&lt;FieldExtracted1&gt;.)(\/|%2F)(?&lt;FieldExtracted1&gt;.+)" </CODE></PRE> Fri, 27 Jan 2017 15:42:36 GMT https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256196#M175813 somesoni2 2017-01-27T15:42:36Z https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256197#M175814 <P>Mmhhh already tried it and it's even worse <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> I don't understand why as it should match ...</P> Fri, 27 Jan 2017 15:52:36 GMT https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256197#M175814 Keyrl 2017-01-27T15:52:36Z https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256198#M175815 <P>Well at this time, I would ask for sample events (scrub any sensitive information) for both scenarios ( where it's working and where it's not).</P> Fri, 27 Jan 2017 15:56:22 GMT https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256198#M175815 somesoni2 2017-01-27T15:56:22Z https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256199#M175816 <P>I got my problem ...<BR /> The logs I was trying to parse was Internet access logs.<BR /> I was trying to separate the Mime Type field precalculated which was formed like this:<BR /> mt=video/mp4 for example.</P> <P>My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"| </P> <P>And ... I discover that some logs include in the URL the "mime" value ...<BR /> So the treatment I was trying to do was also based on this value ...</P> <P>I've corrected the name of the extracted field and it's working fine ...</P> <P>Thanks a lot for your help !!!!</P> Fri, 27 Jan 2017 16:08:40 GMT https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256199#M175816 Keyrl 2017-01-27T16:08:40Z https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256200#M175817 <P>Glad things are working for you now. You can accept your own answer to make this question as resolved.</P> Fri, 27 Jan 2017 16:38:33 GMT https://community.splunk.com/t5/Splunk-Search/Regex-with-forward-slash-character/m-p/256200#M175817 somesoni2 2017-01-27T16:38:33Z