https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296637#M89483 <PRE><CODE>|rex mode=sed "s/^((\/\w+){2})(\/\D+).*?(\/\w+\/\D+).*?(\/\w+)/\1\3\4\5/g" </CODE></PRE> Thu, 29 Mar 2018 07:56:30 GMT ips_mandar 2018-03-29T07:56:30Z https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296634#M89480 <P>my regex:</P> <P>s/[^a-z]+\d/####/g</P> <P>Output:<BR /> /v3/securemessages/members654fdfgd2-b2ad545a-b2f2-d545eb545d45/messages/incident4545/reply</P> <P>Expected output:</P> <P>/v3/securemessages/members/messages/incident/reply</P> <P>please help on this.</P> Thu, 29 Mar 2018 06:25:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296634#M89480 karthi2809 2018-03-29T06:25:21Z https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296635#M89481 <P>try this,</P> <PRE><CODE>.+((?i)members\/).+ </CODE></PRE> Thu, 29 Mar 2018 06:37:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296635#M89481 splunker12er 2018-03-29T06:37:33Z https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296636#M89482 <P>Hi,<BR /> can you try this:</P> <PRE><CODE>...|rex mode=sed "s/^((\/\w+){2})(\/\D+).*?(\/\w+\/\D+).*?(\/\w+)/\1\3\4\5/g" </CODE></PRE> Thu, 29 Mar 2018 07:54:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296636#M89482 ips_mandar 2018-03-29T07:54:40Z https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296637#M89483 <PRE><CODE>|rex mode=sed "s/^((\/\w+){2})(\/\D+).*?(\/\w+\/\D+).*?(\/\w+)/\1\3\4\5/g" </CODE></PRE> Thu, 29 Mar 2018 07:56:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296637#M89483 ips_mandar 2018-03-29T07:56:30Z https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296638#M89484 <P>@karthi2809, what exactly are you trying to achieve if I may ask?</P> <P>Do you simply want to get rid of the numbers and symbols from any directory level in your path?<BR /> If so, what about v3, does that count too?</P> <P>See in any case my answer below in case it helps.</P> Thu, 29 Mar 2018 08:02:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296638#M89484 javiergn 2018-03-29T08:02:51Z https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296639#M89485 <P>As I mentioned above, try the following regex:</P> <PRE><CODE>| rex field=yourfield mode=sed "s/(\/[A-Za-z][A-Za-z]+)([^\/]+)?/\1/g" </CODE></PRE> <P>For example, if I replicate your example in my lab:</P> <PRE><CODE>| makeresults | eval foo = "/v3/securemessages/members654fdfgd2-b2ad545a-b2f2-d545eb545d45/messages/incident4545/reply" | rex field=foo mode=sed "s/(\/[A-Za-z][A-Za-z]+)([^\/]+)?/\1/g" </CODE></PRE> <P>Output:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4643i1ED0B6CD9F310F0C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Hope that helps.</P> <P>Thanks,<BR /> J</P> Thu, 29 Mar 2018 08:05:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296639#M89485 javiergn 2018-03-29T08:05:23Z https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296640#M89486 <P>Thanks J <BR /> When i used the regex i am getting output like this <BR /> /v3/securemessages/members/a#####aae#####b#####e-ae#####e#####aa#####f/categories</P> <P>Because I have lot URI in my event</P> <P>so i have query like this below:</P> <P>index=test_prod| rex field=URI "^(?.+?)(\?|\z)" <BR /> | rex field=APIName mode=sed "s/[0-9A-F]{32}/#####/g" <BR /> | rex field=APIName mode=sed "s/[0-9]{7}[\w]{2}[\d]{4}/#####/g"| rex field=APIName mode=sed "s/[^a-z]+\d/#####/g"| rex field=APIName mode=sed "s/[0-9]+\d/#####/g" |rex field=APIName mode=sed "s/(\/[A-Za-z][A-Za-z]+)([^\/]+)?/\1/g" <BR /> | stats count by APIName Sender</P> <P>Can you please help on this</P> Thu, 29 Mar 2018 12:05:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296640#M89486 karthi2809 2018-03-29T12:05:31Z https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296641#M89487 <P>Hi,</P> <P>What do you want to see instead of </P> <PRE><CODE>/v3/securemessages/members/a#####aae#####b#####e-ae#####e#####aa#####f/categories </CODE></PRE> <P>All the rex's you are running there in SED mode are basically replacing every match with 5 hashes so if you don't want to see that you can simply leave the second part of your SED pattern empty, as in:</P> <PRE><CODE>| rex field=APIName mode=sed "s/[0-9A-F]{32}//g" | rex field=APIName mode=sed "s/[0-9]{7}[\w]{2}[\d]{4}//g" | rex field=APIName mode=sed "s/[^a-z]+\d//g" | rex field=APIName mode=sed "s/[0-9]+\d//g" </CODE></PRE> <P>But it all looks over complicated to me so again, if you can provide a detailed sample, how it looks initially and your desired output, I might be able to help more.</P> Thu, 29 Mar 2018 12:10:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296641#M89487 javiergn 2018-03-29T12:10:55Z https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296642#M89488 <P>Thanks a lot </P> <P>There is lot of URL i will send some complicated URI<BR /> /v1/utility/hcpcsprocedurecodes/j7q <BR /> /v1/utility/hcpcsprocedurecodes/m<BR /><BR /> /v1/utility/hcpcsprocedurecodes/m7zv<BR /><BR /> /v1/utility/hcpcsprocedurecodes/m7zz<BR /><BR /> /v1/utility/revenuecodes/m <BR /> /v1/utility/revenuecodes/m7zv<BR /> /v3/securemessages/members/afae0-a4ecae9be1/categories <BR /> /v3/securemessages/members/afbfc-a7d3-f4afedf/categories<BR /> /v3/securemessages/members/bda8eaaa-bdaf1e/messages/incident/reply</P> <P>Have to remove ' bda8eaaa-bdaf1e','afbfc-a7d3-f4afedf'</P> Thu, 29 Mar 2018 13:48:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-validate-regex-expression/m-p/296642#M89488 karthi2809 2018-03-29T13:48:44Z