@gcusello 

| rex "GET\s+(?<Request_URL>[^ ]+)"

Its not always GET before. Is there any general way to extract it by not using GET. 

I want till here:

https://abcdefghu50089.phx.aexp.com:9091/api/process-groups/abd637bd-ec30-1447-0000-00002c0daf8d

Hi @aditsss,

The only way to extract a field is to identify a rule (a regex).

If in your logs you could also have POST instead GET or another word, you have to find a rule:

can you say that you always have in order:

• open parentesys,
• GET or POST or another word,
• the URL to extract,
• closed parenthesis.

If this is your situation, you could try something like this:

| rex "\)\s+\w+\s+(?<Request_URL>[^ ]+)\s+\("

that you can test at https://regex101.com/r/VZQjXU/2

Ciao.

Giuseppe

@bowesmana @gcusello 

some more logs:

2020-10-13 00:19:06,574 INFO [24962] o.a.n.w.s.Filter Attempting request for (<agane22><CN=com, OU=Middleware Utilities,L=Phoenix, ST=Arizona, C=US>) GET https://abcdefghj50089.phx.xp.com:9091/api/flow/process-groups/00cbae21-0174-1000-ffff-ffffeaa916f7/controller-services (source )

2020-10-13 00:19:06,574 INFO [24962] o.a.n.w.s.Filter Attempting request for (<agane22><CN=com, OU=Middleware Utilities,L=Phoenix, ST=Arizona, C=US>) POST https://abcdefghj50089.phx.xp.com:9091/api/flow/process-groups/20d3839e-0175-1000-0000-00007664d52e/snippet-instance (source )

I want to extract Id's . Can someone provide me the exact regex for it?

Hi @aditsss,

you could use two times the rex command, something like this:

| makeresults 
| eval my_field="2020-10-13 00:19:06,574 INFO [24962] o.a.n.w.s.Filter Attempting request for (<agane22><CN=com, OU=Middleware Utilities,L=Phoenix, ST=Arizona, C=US>) GET https://abcdefghj50089.phx.xp.com:9091/api/flow/process-groups/00cbae21-0174-1000-ffff-ffffeaa916f7/controller-services (source )"
| rex field=my_field "\)\s+\w+\s+(?<Request_URL>[^ ]+)\s+\("
| rex field=Request_URL "(?<Request_URL>.*)\/.*$"
| table Request_URL

Ciao.

Giuseppe

@gcusello 

I tried with below. Not able to see any Request_URL

index=abc sourcetype=xyz source="user.log" process-groups (Request_Type ="*") (ADS_Id ="*")| convert timeformat="%Y-%m-%d" ctime(_time) AS Date| rex field=my_field "\)\s+\w+\s+(?<Request_URL>[^ ]+)\s+\("
| rex field=Request_URL "(?<Request_URL>.*)\/.*$"
| table Request_URL

Can Someone Guide me on this please.

Can someone provide me the exact regex.

Hi @aditsss you want to extract the red-color'ed field or the full URL?

POST https://abcdefghj50089.phx.xp.com:9091/api/flow/process-groups/20d3839e-0175-1000-0000-00007664d52e/snippet-instance (source )

@inventsekar 

I want to extract the RequestURL that I have highlighted in Blue.

GET https://abcdefghj50089.phx.xp.com:9091/api/flow/process-groups/00cbae21-0174-1000-ffff-ffffeaa916f7/controller-services (source )

POST https://abcdefghj50089.phx.xp.com:9091/api/flow/process-groups/65883f7c-6c05-1bad-b438-26aa4783bf51/snippet-instance (source )

DELETE https://abcdefgh50090.phx.aexp.com:9091/api/process-groups/e9123704-0d3a-10fd-937d-ec61cdddff63(source)

Hi @aditsss ... @@gcusello 's rex is working perfectly:

| makeresults 
| eval my_field="2020-10-13 00:19:06,574 INFO [24962] o.a.n.w.s.Filter Attempting request for (<agane22><CN=com, OU=Middleware Utilities,L=Phoenix, ST=Arizona, C=US>) GET https://abcdefghj50089.phx.xp.com:9091/api/flow/process-groups/00cbae21-0174-1000-ffff-ffffeaa916f7/controller-services (source )"
| rex field=my_field "\)\s+\w+\s+(?<Request_URL>[^ ]+)\s+\("
| rex field=Request_URL "(?<Request_URL>.*)\/.*$"
| table Request_URL

@bowesmana  I tried with this 

rex field=_raw ".*(?<RequestURL>http[^ $]*)"

But its picking after the Id also like below:

https://abcdefghu50089.phx.aexp.com:9091/api/process-groups/abd637bd-ec30-1447-0000-00002c0daf8d/pro...

It should take always the Request_Url till here:

https://abcdefghu50089.phx.aexp.com:9091/api/process-groups/abd637bd-ec30-1447-0000-00002c0daf8d

You'll need to keep playing with how to define the rule that matches your URL syntax, e.g. this one will match the example you've given now

https://regex101.com/r/tnieWO/1