topic Re: Regex question in Splunk Search

Regex question

xvxt006 — Sun, 27 Oct 2013 21:29:07 GMT

Hi,

we have 2 uri patterns as shown below

/search?searchQuery=4gmw4 (the end part is always single word which is alpha numeric)
/search?searchQuery=Snatch+Blocks++%281%2F2+to+2+ton%29 (in this end part can have spaces, multiple words, etc).

for the first one i tried this and did not work.
| regex uri="(?=/search\?searchQuery=\w+$)"

2nd one no clue. Any suggestions would help.

Re: Regex question

xvxt006 — Mon, 28 Oct 2013 00:24:16 GMT

Actually the below expression did work out for me for the first uri pattern.
| regex (uri="searchQuery=\w{5}" i want to get only 2nd pattern but not the 1st one..

so i tried this but giving me syntax error. Can someone help with this?

regex (uri="searchQuery=\w+" AND regex (uri!="searchQuery=\w{5}")

Re: Regex question

xvxt006 — Mon, 28 Oct 2013 00:25:54 GMT

i think when i add backslash it is somehow skipping that in the portal. So there is backslash next to w

Re: Regex question

_d_ — Mon, 28 Oct 2013 00:50:29 GMT

You can try using a regex that captures anything that follows the equal sign, that is not an equal sign.

| regex uri="(searchQuery=[^=]*$)"

Re: Regex question

amarsaroj — Mon, 28 Oct 2013 04:56:29 GMT

adding to above answer:

If you want to capture the 2 uri patterns separately, then use

| regex uri="(searchQuery=[^+=]$)"
and
| regex uri="(searchQuery=[^=]+[^=]$)"

assuming '+' does not appears in first uri type and is always present in 2nd uri type.