https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311817#M93429 <P>That's exactly it ; -)</P> Mon, 20 Feb 2017 18:03:12 GMT ddrillic 2017-02-20T18:03:12Z https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311814#M93426 <P>We have a field such as - <CODE>activity="POST-&gt;/cirrus/v1.0/providers"</CODE><BR /> We would like to extract everything after the <CODE>POST-&gt;/cirrus/v1.0/</CODE> part.</P> <P>What would be a way to do it?</P> Mon, 20 Feb 2017 17:36:22 GMT https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311814#M93426 ddrillic 2017-02-20T17:36:22Z https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311815#M93427 <P>Sorry sorry - <CODE>| rex field=activity "POST-&gt;/cirrus/v1.0/(?&lt;activity_clean&gt;[a-z]+)"</CODE> did it...</P> Mon, 20 Feb 2017 17:50:14 GMT https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311815#M93427 ddrillic 2017-02-20T17:50:14Z https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311816#M93428 <P>1) is "POST" the only verb you want it for? 2) are there always exactly three slashes in the part you don't want?</P> Mon, 20 Feb 2017 18:00:11 GMT https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311816#M93428 DalJeanis 2017-02-20T18:00:11Z https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311817#M93429 <P>That's exactly it ; -)</P> Mon, 20 Feb 2017 18:03:12 GMT https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311817#M93429 ddrillic 2017-02-20T18:03:12Z https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311818#M93430 <P>This will pull that exact section out of a field called myfield and place it into a field called otherstuff</P> <PRE><CODE>| rex field=myfield "POST-&gt;\/[^\/]+\/[^\/]+\/(?&lt;otherstuff&gt;[^\"]+)" </CODE></PRE> <P>This will do that and also put the verb into a field called whatverb.</P> <PRE><CODE>| rex field=myfield "(?&lt;whatverb&gt;POST|DELETE|GET|PUT)-&gt;\/[^\/]+\/[^\/]+\/(?&lt;otherstuff&gt;[^\"]+)" </CODE></PRE> Mon, 20 Feb 2017 18:07:15 GMT https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311818#M93430 DalJeanis 2017-02-20T18:07:15Z https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311819#M93431 <P>Perfect!!!</P> Mon, 20 Feb 2017 19:29:08 GMT https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311819#M93431 ddrillic 2017-02-20T19:29:08Z https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311820#M93432 <P>Ah, you meant that value within quotes was the value of the activity field.</P> <P>I'd suggest changing that to one of the following -<BR /> | rex field=activity "POST-&gt;/cirrus/v1.0/(?<ACTIVITY_CLEAN>.+)" <BR /> or<BR /> | rex field=activity "POST-&gt;/cirrus/v1.0/(?<ACTIVITY_CLEAN>\w+)" </ACTIVITY_CLEAN></ACTIVITY_CLEAN></P> <P>...since you probably can't be sure that it will always be only lower-case alpha characters. You also don't know when the cirrus version might change, so you might want to wildcard that as well. I tested this as below.</P> <PRE><CODE>| makeresults | eval activity="POST-&gt;/cirrus/v1.0/providers" | rex field=activity "POST-&gt;/cirrus/[^/]+/(?&lt;activity_clean&gt;.+)" </CODE></PRE> <HR /> <P>I was a little surprised the slashes didn't have to be escaped, although the code DID accept escaping them. Live and learn.</P> Mon, 20 Feb 2017 19:40:11 GMT https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311820#M93432 DalJeanis 2017-02-20T19:40:11Z https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311821#M93433 <P>please accept your answer to close the question.</P> Mon, 20 Feb 2017 19:40:44 GMT https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311821#M93433 DalJeanis 2017-02-20T19:40:44Z https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311822#M93434 <P>I was surprised also about the non-escaping ; -) </P> Mon, 20 Feb 2017 19:41:59 GMT https://community.splunk.com/t5/Splunk-Search/Regex-assistance/m-p/311822#M93434 ddrillic 2017-02-20T19:41:59Z