https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624428#M217095 <P>the search didnt give any results, also how do i get results of all the other companies like facebook, twitter?</P> Thu, 15 Dec 2022 18:21:12 GMT mikeyty07 2022-12-15T18:21:12Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624284#M217052 <P>I have an access logs which prints like this<BR /><SPAN class="">server</SPAN> <SPAN class="">-</SPAN> <SPAN class="">-</SPAN><SPAN> [date&amp; time</SPAN><SPAN>] "</SPAN><SPAN class="">GET</SPAN> <SPAN class="">/google/page1/page1a/633243463476/googlep1</SPAN><SPAN>?</SPAN><SPAN class="">sc=RT</SPAN><SPAN>&amp;</SPAN><SPAN class="">lo=en_US</SPAN> <SPAN class="">HTTP/1.1</SPAN><SPAN>" </SPAN><SPAN class="">200</SPAN> <SPAN class="">350</SPAN> <SPAN class="">85<BR /></SPAN>which rex is&nbsp;<BR />| rex field=_raw "(?&lt;SRC&gt;\d+\.\d+\.\d+\.\d+).+\]\s\"(?&lt;http_method&gt;\w+)\s(?&lt;uri_path&gt;\S+)\s(?&lt;uri_query&gt;\S+)\"\s(?&lt;statusCode&gt;\d+)\s(?&lt;body_size&gt;\d+)\s\s(?&lt;response_time&gt;\d+)"</P> <P>Is there a way to seperate uri into two or 3?</P> <P>&nbsp;<SPAN class="">/google/page1/page1a/633243463476/googlep1</SPAN><SPAN>?</SPAN><SPAN class="">sc=RT</SPAN><SPAN>&amp;</SPAN><SPAN class="">lo=en_US&nbsp;</SPAN></P> <P><SPAN class="">TO</SPAN></P> <P><SPAN class="">&nbsp;/google<BR />/page1/page1a/633243463476/googlep1<SPAN>?</SPAN>sc=RT<SPAN>&amp;</SPAN>lo=en_US&nbsp;</SPAN></P> <P><SPAN class="">OR</SPAN></P> <P><SPAN>/google<BR />/page1/page1a/633243463476/googlep1&nbsp;<BR /></SPAN><SPAN>?</SPAN><SPAN>sc=RT</SPAN><SPAN>&amp;</SPAN><SPAN>lo=en_US</SPAN></P> <P>&nbsp;</P> Thu, 15 Dec 2022 01:06:39 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624284#M217052 mikeyty07 2022-12-15T01:06:39Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624296#M217057 <P>This will get the 3 parts</P><LI-CODE lang="markup">(?&lt;uri_root&gt;/[^/]+)(?&lt;uri_path&gt;[^?\s]+)\s?(?&lt;uri_query&gt;\S+)</LI-CODE> Wed, 14 Dec 2022 23:09:20 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624296#M217057 bowesmana 2022-12-14T23:09:20Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624347#M217078 <P>An alternative to regex is to use <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions#split.28X.2C.22Y.22.29" target="_blank" rel="noopener">split</A>, which can be more semantically explicit. (And slightly more efficient.)</P><P><SPAN>Now to using split. &nbsp;Assuming that you have that field uri.</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">| eval uri = split(uri, "?") | eval uri_query = "?" . mvindex(uri, 1) ``` ?sc=RT&amp;lo=en_US ``` | eval uri = split(mvindex(uri, 0), "/") | eval root = "/" . mvindex(uri, 1) ``` /google ``` | eval remainder = "/" . mvjoin(mvindex(uri, 2, -1), "/")</LI-CODE><P>&nbsp;</P><P>This gives</P><TABLE><TBODY><TR><TD>remainder</TD><TD>root</TD><TD>uri_query</TD></TR><TR><TD>/page1/page1a/633243463476/googlep1</TD><TD>/google</TD><TD>?sc=RT&amp;lo=en_US</TD></TR></TBODY></TABLE><P>&nbsp;</P> Thu, 15 Dec 2022 10:54:03 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624347#M217078 yuanliu 2022-12-15T10:54:03Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624428#M217095 <P>the search didnt give any results, also how do i get results of all the other companies like facebook, twitter?</P> Thu, 15 Dec 2022 18:21:12 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624428#M217095 mikeyty07 2022-12-15T18:21:12Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624456#M217106 <P>Thank you worked like a charm, however i used<BR />(?&lt;uri_root&gt;/[^/]+)(?&lt;uri_path&gt;[^?\s]+)\s(?&lt;uri_query&gt;\S+)<BR />uri_query seemed to give results for Http/1.1<BR /><BR />can you also please check this? It is follow up question.<BR /><A href="https://community.splunk.com/t5/Splunk-Search/Using-lookup-command-after-rex-field/td-p/624450" target="_blank">https://community.splunk.com/t5/Splunk-Search/Using-lookup-command-after-rex-field/td-p/624450</A></P> Thu, 15 Dec 2022 20:08:52 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-rex-to-divide-api-name/m-p/624456#M217106 mikeyty07 2022-12-15T20:08:52Z