https://community.splunk.com/t5/Splunk-Search/How-can-I-improve-my-regular-expression-to-extract-a-field/m-p/244938#M72959 <P>Hey i have the following logs:</P> <PRE><CODE>INCOMING REQUEST: URL: /pop/v1/enviro/2ee999b4-d97ba81bdefd/updatesearching/ </CODE></PRE> <P>i need to extract the numbers after <CODE>enviro/</CODE> and before <CODE>/updatesearching</CODE></P> <P>i created following regular expression: <CODE>REX "URL:\s\/\w+\/\w+\/\enviro/(?.*)/updatesearching/</CODE></P> <P>but i'm not getting it. how can i improve the regular expression or how can i extract that number?</P> Fri, 20 Jan 2017 15:52:35 GMT guillecasco 2017-01-20T15:52:35Z https://community.splunk.com/t5/Splunk-Search/How-can-I-improve-my-regular-expression-to-extract-a-field/m-p/244938#M72959 <P>Hey i have the following logs:</P> <PRE><CODE>INCOMING REQUEST: URL: /pop/v1/enviro/2ee999b4-d97ba81bdefd/updatesearching/ </CODE></PRE> <P>i need to extract the numbers after <CODE>enviro/</CODE> and before <CODE>/updatesearching</CODE></P> <P>i created following regular expression: <CODE>REX "URL:\s\/\w+\/\w+\/\enviro/(?.*)/updatesearching/</CODE></P> <P>but i'm not getting it. how can i improve the regular expression or how can i extract that number?</P> Fri, 20 Jan 2017 15:52:35 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-improve-my-regular-expression-to-extract-a-field/m-p/244938#M72959 guillecasco 2017-01-20T15:52:35Z https://community.splunk.com/t5/Splunk-Search/How-can-I-improve-my-regular-expression-to-extract-a-field/m-p/244939#M72960 <P>Can you please try this and see if it works for you:</P> <P>If it's always between <CODE>enviro</CODE> and <CODE>updatesearching</CODE>:</P> <PRE><CODE>your query to return events |rex field=_raw "enviro\/(?&lt;capturedNum&gt;[^\/]+)\/updatesearching" | table capturedNum </CODE></PRE> <P>If the numbers of interest come always after <CODE>enviro</CODE>:</P> <PRE><CODE>your query to return events |rex field=_raw "\/enviro\/(?&lt;capturedNum&gt;[^\/]+)\/" | table capturedNum </CODE></PRE> <P>If it's always the fourth element then try this:</P> <PRE><CODE>your query to return events |rex field=_raw "URL:\s*\/([^\s\/]+\/){3}(?&lt;capturedNum&gt;[^\/]+)\/" | table capturedNum </CODE></PRE> Fri, 20 Jan 2017 16:04:32 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-improve-my-regular-expression-to-extract-a-field/m-p/244939#M72960 gokadroid 2017-01-20T16:04:32Z https://community.splunk.com/t5/Splunk-Search/How-can-I-improve-my-regular-expression-to-extract-a-field/m-p/244940#M72961 <P>it worked! |rex field=_raw "enviro\/(?[^\/]+)\/updatesearching" thanks dude</P> Fri, 20 Jan 2017 17:58:10 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-improve-my-regular-expression-to-extract-a-field/m-p/244940#M72961 guillecasco 2017-01-20T17:58:10Z https://community.splunk.com/t5/Splunk-Search/How-can-I-improve-my-regular-expression-to-extract-a-field/m-p/244941#M72962 <P>what is the field=_raw does exactly. I didnt put there anything</P> Fri, 20 Jan 2017 18:02:49 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-improve-my-regular-expression-to-extract-a-field/m-p/244941#M72962 guillecasco 2017-01-20T18:02:49Z