topic Re: Need help with rex in Splunk Search

Need help with rex

xvxt006 — Thu, 29 May 2014 16:50:05 GMT

Hi,

i am using this expression - base search | rex field=uri "better\?q=(?[^&]+)$"

and i was expecting to return events which ends with having only q value but not having others as shown below.

better?q=GARAGE+DOOR+9+FT+WIDE

but it is showing all the events which have values after & (startIndex=000041&itemsperpage=0030)

better?q=GARAGE+DOOR+9+FT+WIDE&startIndex=000041&itemsperpage=0030

Any idea what i am missing here?

Re: Need help with rex

richgalloway — Thu, 29 May 2014 17:07:49 GMT

I had success in RegExr with this string:

better\?q=([^&]+)&

Re: Need help with rex

somesoni2 — Thu, 29 May 2014 17:33:02 GMT

Try this (run anywhere)

|stats count | eval uri="better?q=GARAGE+DOOR+9+FT+WIDE##better?q=GARAGE+DOOR+9+FT+WIDE&startIndex=000041&itemsperpage=0030" | table uri | makemv delim="##" uri | mvexpand uri  
| regex uri="better\?q=([^&]+)$"


<<Your base search with field uri >>  | regex uri="better\?q=([^&]+)$"

Re: Need help with rex

xvxt006 — Thu, 29 May 2014 20:08:40 GMT

i see that you are using eval for the acutal uri i gave. But I just gave an example to show you what i want. I have lot of events like that. I cannot put all of those in my search query right?

Re: Need help with rex

somesoni2 — Thu, 29 May 2014 20:19:01 GMT

That is just a syntax to get example data to work on(since I don't have sample logs). Just replace everything before "regex" command with your base search.