https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335966#M99761 <P>There are many API i need to extract all the API </P> <P>/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58490<BR /><BR /> /v1/caremanagement/utilizationmanagementinquiry/casesummary?id=372A69838<BR /> /v0/providers/codes/list/AREA_OF_EXPERTISE<BR /><BR /> /v0/providers/codes/list/LANGUAGES<BR /><BR /> /v0/providers/codes/list/PATIENT_PREFERENCES<BR /><BR /> /v0/providers/codes/list/PROVIDER_TYPES <BR /> /v0/providers/details/byid/#####?sourcesystemid=0<BR /><BR /> /v0/providers/professionals/search<BR /><BR /> /v0/providers/specialities/list/C?levelofcareind=false<BR /><BR /> /v0/providers/specialities/list/C?levelofcareind=true</P> <P>Expected result :<BR /> /v1/caremanagement/utilizationmanagementinquiry/casesummary<BR /> /v0/providers/codes/list<BR /> /v0/providers/specialities/list</P> Tue, 29 Sep 2020 17:12:28 GMT karthi2809 2020-09-29T17:12:28Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335962#M99757 <P>How to extract field using mode=sed for name extraction?</P> <P>index=test Sender=PEGAS | rex field= URI"^(?.+?)(\?|\z)" | rex field=URI mode=sed "s/[0-9A-F]{32}/#####/g" <BR /> | rex field=URI mode=sed "s/[0-9]{7}[\w]{2}[\d]{4}/#####/g" <BR /> | stats count by URI</P> <P>My output :<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3988i1533754788AD3E52/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Expected result :</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3989i8C3870A290604035/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 11 Dec 2017 13:02:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335962#M99757 karthi2809 2017-12-11T13:02:10Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335963#M99758 <P>Hi @karthi2809,</P> <P>If I am understanding your question correctly you want to extract everything before last <CODE>/</CODE> then you can use regex <CODE>| rex "(?&lt;URI&gt;.*)\/"</CODE></P> <P>Sample query based on sample data which you have provided below query will extract everything before last <CODE>/</CODE> and after that I am filtering <CODE>/v0/providers/code/list/</CODE> in <CODE>where</CODE> command. First 2 lines in below query used to generate sample data.</P> <PRE><CODE>| makeresults | eval _raw="/v0/providers/code/list/LANGUAGE" | rex "(?&lt;Extracted_URI&gt;.*)\/" | where Extracted_URI="/v0/providers/code/list" </CODE></PRE> <P>So your query will be</P> <PRE><CODE>&lt; your search&gt; | rex field=URI "(?&lt;Extracted_URI&gt;.*)\/" | where Extratced_URI="/v0/providers/code/list" </CODE></PRE> Mon, 11 Dec 2017 13:13:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335963#M99758 harsmarvania57 2017-12-11T13:13:38Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335964#M99759 <P>@karthi2809, can you use the <CODE>code button (101010)</CODE> on Splunk Answers to post your SPL so that special characters do not escape? Also values in your current output feel similar to expected output. What is the difference you want to see? Can you give example value of field URI and what you need to extract/convert in the same?</P> Mon, 11 Dec 2017 13:16:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335964#M99759 niketn 2017-12-11T13:16:05Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335965#M99760 <P>My output:<BR /> /v0/providers/codes/list/LANGUAGES<BR /><BR /> /v0/providers/codes/list/PATIENT_PREFERENCES<BR /><BR /> /v0/providers/codes/list/PROVIDER_TYPES <BR /> /v0/providers/details/byid/#####?sourcesystemid=0<BR /><BR /> /v0/providers/professionals/search<BR /><BR /> /v0/providers/specialities/list/C?levelofcareind=false<BR /><BR /> /v0/providers/specialities/list/C?levelofcareind=true<BR /><BR /> /v0/providers/specialities/list/L?levelofcareind=false<BR /> /v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58<BR /><BR /> /v1/caremanagement/utilizationmanagementinquiry/casesummary?id=372A69</P> <P>Expected result is <BR /> /v0/providers/codes/list<BR /> /v0/providers/specialities/list<BR /> /v1/caremanagement/utilizationmanagementinquiry/casesummary</P> Tue, 29 Sep 2020 17:12:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335965#M99760 karthi2809 2020-09-29T17:12:25Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335966#M99761 <P>There are many API i need to extract all the API </P> <P>/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58490<BR /><BR /> /v1/caremanagement/utilizationmanagementinquiry/casesummary?id=372A69838<BR /> /v0/providers/codes/list/AREA_OF_EXPERTISE<BR /><BR /> /v0/providers/codes/list/LANGUAGES<BR /><BR /> /v0/providers/codes/list/PATIENT_PREFERENCES<BR /><BR /> /v0/providers/codes/list/PROVIDER_TYPES <BR /> /v0/providers/details/byid/#####?sourcesystemid=0<BR /><BR /> /v0/providers/professionals/search<BR /><BR /> /v0/providers/specialities/list/C?levelofcareind=false<BR /><BR /> /v0/providers/specialities/list/C?levelofcareind=true</P> <P>Expected result :<BR /> /v1/caremanagement/utilizationmanagementinquiry/casesummary<BR /> /v0/providers/codes/list<BR /> /v0/providers/specialities/list</P> Tue, 29 Sep 2020 17:12:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335966#M99761 karthi2809 2020-09-29T17:12:28Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335967#M99762 <P>Expected Results and Output which you have provided have not consistent unique pattern because in <CODE>/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58490</CODE> this API call you want to extract everything before <CODE>?</CODE> however <CODE>/v0/providers/specialities/list/C?levelofcareind=false</CODE> in this API call you want to extract everything before <CODE>/</CODE> so can we have unique pattern please ? If not then we can't assume that on which API call you want to extract till which delimiter.</P> Mon, 11 Dec 2017 14:29:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335967#M99762 harsmarvania57 2017-12-11T14:29:12Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335968#M99763 <P>You don't want these lines?? </P> <PRE><CODE>/v0/providers/details/byid/#####?sourcesystemid=0 /v0/providers/professionals/search </CODE></PRE> Mon, 11 Dec 2017 17:06:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335968#M99763 somesoni2 2017-12-11T17:06:03Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335969#M99764 <P>Try This , i replaced the '?' in the sting by '/' - Now the string that you want would be everything before the last '/'</P> <P>| makeresults <BR /> | eval _raw="/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58"<BR /> | rex mode=sed field=_raw "s/\?/\//g"<BR /> | rex field=_raw "(?&lt;_raw&gt;.*)\/"</P> Tue, 29 Sep 2020 22:29:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-field-using-mode-sed-for-name-extraction/m-p/335969#M99764 saurabhkharkar 2020-09-29T22:29:28Z