Solved: Extracting the field from the events - Splunk Community

Dashboards & Visualizations

Hi Team,

I have one requirement.

I need to extract one field from the event. Below are my events.

L=Phoenix, ST=Arizona, C=US>) GET https://lpdosputb50090.phx.vxp.com:9091/api/flow/process-groups/7

L=Phoenix, ST=Arizona, C=US>) GET https://lpdosputb50090.phx.vxp.com:9091/api/flow/process-groups

L=Phoenix, ST=Arizona, C=US>) PUT https://lpdosputb50090.phx.Vxp.com:9091/api/flow/process-groups/7c

L=Phoenix, ST=Arizona, C=US>) POST https://lpdosputb50087.phx.vxp.com:9091/api/flow/process-groups/

I want to extract the word that I have highlighted.

Can someone provide me regex for that.

1 Solution

Solution

please try this regex

| rex "\)\s+(?<action>[^ ]+)"

that you can test at https://regex101.com/r/23hLks/1

Ciao.

Giuseppe

View solution in original post

Try

\) (?<word>\w+) http

---
If this reply helps you, Karma would be appreciated.

Solution

please try this regex

| rex "\)\s+(?<action>[^ ]+)"

that you can test at https://regex101.com/r/23hLks/1

Ciao.

Giuseppe

@gcusello @richgalloway

Thank you so much. Solutions work for me.

Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...