Archive
Highlighted

Regex with forward slash character

Explorer

Hi,

I'm trying to extract to fields from a precalculated field and so far I've trouble with the forward slash character.
My field is formed like this:

FieldGlobal=Field1/Field2

I've tried the following : rex field=FieldGloba "(?[a-zA-Z0-9]+)\/(?[a-zA-Z0-9]+)"

So far, it works for a lot of logs but for some, it gave something like:

FieldExtracted1=Field1%2fField2

Do you know how to work with that ?

Regards

Tags (1)
0 Karma
Highlighted

Re: Regex with forward slash character

SplunkTrust
SplunkTrust

Give this a try

your base search | rex field=FieldGloba "(?<FieldExtracted1>[^\/]+)\/(?<FieldExtracted1>.+)"
0 Karma
Highlighted

Re: Regex with forward slash character

Explorer

Thanks for your help !

Same result apparently. I still have the "/" character that seems to be converted as %2F in some logs ...

0 Karma
Highlighted

Re: Regex with forward slash character

SplunkTrust
SplunkTrust

I guess the raw data itself contains the that forwarder slash converted to %2F. So how about this?

your base search | rex field=FieldGloba "(?<FieldExtracted1>.)(\/|%2F)(?<FieldExtracted1>.+)"
0 Karma
Highlighted

Re: Regex with forward slash character

Explorer

Mmhhh already tried it and it's even worse 🙂
I don't understand why as it should match ...

0 Karma
Highlighted

Re: Regex with forward slash character

SplunkTrust
SplunkTrust

Well at this time, I would ask for sample events (scrub any sensitive information) for both scenarios ( where it's working and where it's not).

0 Karma
Highlighted

Re: Regex with forward slash character

Explorer

I got my problem ...
The logs I was trying to parse was Internet access logs.
I was trying to separate the Mime Type field precalculated which was formed like this:
mt=video/mp4 for example.

My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"|

And ... I discover that some logs include in the URL the "mime" value ...
So the treatment I was trying to do was also based on this value ...

I've corrected the name of the extracted field and it's working fine ...

Thanks a lot for your help !!!!

View solution in original post

0 Karma
Highlighted

Re: Regex with forward slash character

SplunkTrust
SplunkTrust

Glad things are working for you now. You can accept your own answer to make this question as resolved.

0 Karma