Solved: Need help on Rex Please: How to extract the below ...

kc_prane · ‎06-21-2023

Hi, I need to extract the below events i tried this | rex "URI\s(?<URI>.+?)=" but not working. i want to extract for the 1& 2 events before the "="

URI /api/Hellothisistest?customerNumber=244479

URI /api/Hellothisistest?customerNumber=247370

URI /api/Getthisextractessample

URI /api/createthisextractesof

URI /api/liverpooltestsoccer

Thanks in Advance

gcusello · ‎06-21-2023

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

kc_prane · ‎06-21-2023

Thanks @gcusello modifed your query and helped | rex "URI\s*(?<URI>[^\=\n]+)" worked for me

gcusello · ‎06-21-2023

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎06-21-2023

you can use this if you want to take all after URI:

| rex "URI\s*(?<URI>.+)=*"

if instead you want the URL until "=" when present, you can use the following regex:

| rex "URI\s*(?<URI>[^\=\n]+)(=*)|\n"

ciao.

Giuseppe

Need help on Rex Please: How to extract the below events?