Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

AND | OR Rex field

patelpin
New Member
‎09-27-2016 01:11 PM

Hello. I have a few servers: a,b,c and 1,2,3

Servers a,b,c work with this - base search | rex field=cs_uri_stem "(\/apps\/)(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test

cs_uri_stem= /apps/example/foo.aspx
some of the cs_uri_stem will be /apps/example/example/foo.aspx

Servers 1,2,3 work with this - base search | rex field=cs_uri_stem "(\/apps\/)|(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test
cs_uri_stem= /example/foo.aspx

I would like to combine them so that I get the results from all the servers. Please excuse the space in < test> it wouldn't show without the space.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎09-27-2016 02:45 PM

Hi patelpin,

based on the provided examples this regex should work for you:

... | rex field=cs_uri_stem "(^\/apps\/|^\/(?!apps))(?<myFoo>[^\/]+)" | ...

Tested and working on regex101.com

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎09-27-2016 02:45 PM

Hi patelpin,

based on the provided examples this regex should work for you:

... | rex field=cs_uri_stem "(^\/apps\/|^\/(?!apps))(?<myFoo>[^\/]+)" | ...

Tested and working on regex101.com

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

patelpin
New Member
‎09-28-2016 06:32 AM

This worked exactly as I'd hoped, for about 99% of all the items. There are just a few cs_uri_stem that are like /example.gif, favicon.ico and the such. Is there any way to exclude these items?

At the moment, in my queries I can just use ... | search myFoo!="." | ...

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-28-2016 12:19 PM

Sure, just add another \/ at the end to make sure it will only match if there is a second /

 ... | rex field=cs_uri_stem "(^\/apps\/|^\/(?!apps))(?<myFoo>\w+)\/" | ...

cheers, MuS

Reply
Solved! Jump to solution

patelpin
New Member
‎09-29-2016 11:39 AM

Even better. Perfect, thank you very much.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-27-2016 01:14 PM

Can you please provide some real world sample data as text?

Reply
Solved! Jump to solution

patelpin
New Member
‎09-27-2016 02:03 PM

I can post the cs_uri_stem from several of the servers. In bold is what I'm trying to extract. Let me know if you need additional items. Not sure I'm giving everything you need. I can give full raw if you'd like. The only difference between the two is the | pipe.

Servers a,b,c:
/apps/spxss/spxquotebrowser/SPX.css
/apps/ajt/SE3SPX2COM/Spx2COM.asmx
/apps/PriceInq/Default.aspx
/apps/ordp/OrderEntry.aspx
/apps/orderalert/default.aspx
/apps/ALIS/ALIC.aspx

Servers 1,2,3:
/ECFPO/OpenPO.aspx
/ECFBWIN/Reserved.ReportViewerWebControl.axd
/open4ess/checks1.asp
/ecfordertracker/
/ECFQuoteTracker/QuoteCompleted.aspx

sourcetype=iis s_computername=Server1* | rex field=cs_uri_stem "(\/apps\/)(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test
Will give me:
spxss
ajt
PriceInq
ordp
orderalert
ALIS

sourcetype=iis s_computername=ServerA* | rex field=cs_uri_stem "(\/apps\/)|(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test
Will give me:
ECFPO
ECFBWIN
open4ess
ecfordertracker
ECFQuoteTracker

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...