Solved: Extracting the field from the events - Splunk Community

Dashboards & Visualizations

Hi Team,

I have one requirement.

I need to extract one field from the event. Below are my events.

L=Phoenix, ST=Arizona, C=US>) GET https://lpdosputb50090.phx.vxp.com:9091/api/flow/process-groups/7

L=Phoenix, ST=Arizona, C=US>) GET https://lpdosputb50090.phx.vxp.com:9091/api/flow/process-groups

L=Phoenix, ST=Arizona, C=US>) PUT https://lpdosputb50090.phx.Vxp.com:9091/api/flow/process-groups/7c

L=Phoenix, ST=Arizona, C=US>) POST https://lpdosputb50087.phx.vxp.com:9091/api/flow/process-groups/

I want to extract the word that I have highlighted.

Can someone provide me regex for that.

1 Solution

Solution

please try this regex

| rex "\)\s+(?<action>[^ ]+)"

that you can test at https://regex101.com/r/23hLks/1

Ciao.

Giuseppe

View solution in original post

Try

\) (?<word>\w+) http

---
If this reply helps you, Karma would be appreciated.

Solution

please try this regex

| rex "\)\s+(?<action>[^ ]+)"

that you can test at https://regex101.com/r/23hLks/1

Ciao.

Giuseppe

@gcusello @richgalloway

Thank you so much. Solutions work for me.

Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...