topic Re: Extract field after text in Splunk Search

Extract field after text

ashvini_mishra — Thu, 23 Sep 2021 17:05:09 GMT

Here is log example -

http://host/manager/resource_identifier/ids/getOrCreate/bulk?dscid=LuSxrA-1c42bb5b-f862-4861-892f-69320e1a59e7:200 Created:78

I need to extract string after ids/ untill first ? or :

So output would be - getOrCreate/bulk

I am trying this -

rex field=log ":(?<url>ids\/[^?: ]*)"

What am I missing?

Re: Extract field after text

danielcj — Thu, 23 Sep 2021 17:19:17 GMT

Hello,

Please, try the following:

| rex field=log "ids\/(?<url>[^\?|\:]+)"

If your "log" field is not presenting the log example that you used, you can try substitute field=log to field=_raw

Re: Extract field after text

ashvinpandey — Thu, 23 Sep 2021 17:27:33 GMT

@ashvini_mishra Try this:

| rex field=_raw "ids\/(?P<url>.*?)\?"

if this is some fieldname then just replace _raw by your fieldname, or use the below rex:

| rex field=log "ids\/(?P<url>.*?)\?"

Also, If this reply helps you, an upvote would be appreciated.

Re: Extract field after text

ashvini_mishra — Thu, 23 Sep 2021 18:29:06 GMT

@danielcj @ashvinpandey

Thank for your responses, this works -

I saw some of my logs don't have "ids/" in them, in that case url turns out to be blank. Here how can I perform an OR operation to calculate url as - rex field=log "com\/(?<url>[^\?|\:\/ ]+)"

That is -

if - "ids\/(?P<url>[^?:\s]+)" return blank then extract url as - "com\/(?<url>[^\?|\:\/ ]+)"