topic Re: Rex match if else style in Splunk Search

Rex match if else style

jeck11 — Fri, 15 Sep 2023 15:13:29 GMT

Here are three lines of the file to illustrate what I'm going for:

Line from file	Desired field
URI : https://URL.net/token	token
URI : https://URL.net/rest/v1/check	rest/v1/check
URI : https://URL.net/service_name/3.0.0/accounts/bah	service_name

I have successfully extracted the 3rd example using this:
rex field=_raw "URI.+\:\shttp.+\.(net|com)\/(?<URI_ABR>.+)\/\d+\."

That does not match the other two though so no field is extracted. Is there a way to say if it doesn't match that regex then capture till the end of line?

I've tried this but then the 3rd example also captures everything till the end of the line:
rex field=_raw "URI.+\:\shttp.+\.(net|com)\/(?<URI_ABR>.+)(\/\d+\.|\n)"

Re: Rex match if else style

richgalloway — Fri, 15 Sep 2023 16:49:46 GMT

The desired extractions are inconsistent. The first two want everything after the domain, but the third wants only the first segment after the domain. Please specify the rules for extracting URI_ABR.

Re: Rex match if else style

jeck11 — Fri, 15 Sep 2023 17:52:07 GMT

Unfortunately, there are two different rules at play. One needs everything after the URL and the other only needs the URI which is a service name. That's what I've been struggling with.