Solved: Re: regex not working propoerly

prannoy93singh · ‎07-03-2018

/api/v1/user/engines/forecast/xyz?abc=true

For the above URL, I want to display the URL in the table till xyz (/api/v1/user/engines/forecast/xyz).
I am using the following regex

| regex requestURI = _raw "/[^?]*/"                                // not include data after ?
| regex requestURI = ".*[^.txt]$"                                     // no .txt extensions in the URI
| regex requestURI = "/[0-9a-zA-Z]{3,}/"                         // minimum length should be 3

But the first one is not working and the whole URL is being displayed

woodcock · ‎07-03-2018

You are confusing regex with rex. Try this:

|makeresults | eval _raw="/api/v1/user/engines/forecast/xyz?abc=true"
| rex "^(?<requestURI1>/[^?]*/)"
| rex "(?<requestURI2>.*[^.txt])$"
| rex "(?<requestURI3>/[0-9a-zA-Z]{3,}/)"

View solution in original post

woodcock · ‎07-03-2018

You are confusing regex with rex. Try this:

|makeresults | eval _raw="/api/v1/user/engines/forecast/xyz?abc=true"
| rex "^(?<requestURI1>/[^?]*/)"
| rex "(?<requestURI2>.*[^.txt])$"
| rex "(?<requestURI3>/[0-9a-zA-Z]{3,}/)"

MuS · ‎07-03-2018

Hi prannoy93singh,

to match / you need to escape them in the regex, try this:

 \/[^?]+

cheers, MuS

prannoy93singh · ‎07-03-2018

I tried running the above query, but it is still not giving the desired result.

/api/v1/user/abc/xyz/24966700::2?personalizationChannel=ADVISOR_CENTER

such queries are still showing

MuS · ‎07-03-2018

Use rex instead, test it with this run everywhere example:

| makeresults 
| eval foo="/api/v1/user/abc/xyz/24966700::2?personalizationChannel=ADVISOR_CENTER" 
| rex field=foo "(?<MyNewField>\/[^?]+)"

the field MyNewField has the value of /api/v1/user/abc/xyz/24966700::2 in this example.

cheers, MuS

regex not working propoerly

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor