topic Re: Regular Expression for field extraction in Splunk Search

Regular Expression for field extraction

brennson90 — Tue, 23 Nov 2021 08:07:55 GMT

Hi everyone,

i got two URLs which i want to represent in one regex group. The dest Port (443) will be in a seperate group

Here are two examples.

my.url.is.here:443

When i use the following regex "(?<url>[^\s:]+):?" the first example is fine, but the second only catches "http" because it only matches till the ":"

Can someone help and fix my regex?

Thanks.

Re: Regular Expression for field extraction

ITWhisperer — Tue, 23 Nov 2021 08:25:17 GMT

If you don't mind losing the ?, you could use

"(?<url>.+)(:\d|\?)"

Re: Regular Expression for field extraction

brennson90 — Tue, 23 Nov 2021 08:46:47 GMT

Hi @ITWhisperer thx for the reply. Now the first number of the dest port is lost.

It captures everything till "my.url.is.here:4"

Re: Regular Expression for field extraction

ITWhisperer — Tue, 23 Nov 2021 09:05:47 GMT

Please provide the SPL you are using (in a code </> block preferably)

Re: Regular Expression for field extraction

brennson90 — Tue, 23 Nov 2021 09:43:07 GMT

I'm not 100% sure what you want to see.

This is my search

index=mysearch
| rex "\s(?<url>.+)(:\d|\?)(?<dest_port>\d+)?\s+"

Re: Regular Expression for field extraction

brennson90 — Tue, 23 Nov 2021 12:31:07 GMT

Hi, i found the solution "(?<url>.+)(:|\?)"

Anyways, thanks for the support @ITWhisperer