topic Re: How extract URI using regex? in Splunk Search

How extract URI using regex?

karthi2809 — Tue, 16 Jan 2018 05:51:21 GMT

I need to extract fields which mentioned in yellow?

Re: How extract URI using regex?

mayurr98 — Tue, 16 Jan 2018 06:11:34 GMT

hey

you can try this run anywhere search

| makeresults | eval URI="/v1/cp/members/257425525/benefits/999F-20180101-20181231-MED/excluded" | rex field=URI "(?<first>^\/[^\/]+\/[^\/]+\/[^\/]+)\/[^\/]+\/(?<second>\w+)"

In your environment, you should write

 <base_search> | rex field=URI "(?<first>^\/[^\/]+\/[^\/]+\/[^\/]+)\/[^\/]+\/(?<second>\w+)"

let me know if this helps!

Re: How extract URI using regex?

esix_splunk — Tue, 16 Jan 2018 06:17:44 GMT

You can try the following...

(?<capture1>\/(\w+\/){3})\d+\/(?<capture2>\w+)\/.*\/(?<capture3>\w+)

In SPL...

| makeresults 
| eval URI="/v1/cp/members/257425525/benefits/999F-20180101-20181231-MED/excluded" 
| rex field=URI "(?<capture1>\/(\w+\/){3})\d+\/(?<capture2>\w+)\/.*\/(?<capture3>\w+)"

This will work for up to the third iteration. If you need to keep capturing, you can keep adding to that regex...

Re: How extract URI using regex?

karthi2809 — Tue, 16 Jan 2018 07:12:42 GMT

Hi mayurr

Thanks for you valuable answer but i send sample URI .there is lot of URI like this how can we extract using mode=sed

Re: How extract URI using regex?

mayurr98 — Tue, 16 Jan 2018 07:42:27 GMT

try this!
If you want to capture say benefits and excluded in one event then try this!

 | rex field=URI max_match=0 "(MED|\d{2,})\/(?P<sec>\w+)"

OR
if you want in three different field then use this

| rex field=URI "(?<first>^\/[^\/]+\/[^\/]+\/[^\/]+)\/[^\/]+\/(?<second>\w+)\/.*\/(?<Third>\w+)"