Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

AND | OR Rex field

patelpin
New Member
‎09-27-2016 01:11 PM

Hello. I have a few servers: a,b,c and 1,2,3

Servers a,b,c work with this - base search | rex field=cs_uri_stem "(\/apps\/)(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test

cs_uri_stem= /apps/example/foo.aspx
some of the cs_uri_stem will be /apps/example/example/foo.aspx

Servers 1,2,3 work with this - base search | rex field=cs_uri_stem "(\/apps\/)|(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test
cs_uri_stem= /example/foo.aspx

I would like to combine them so that I get the results from all the servers. Please excuse the space in < test> it wouldn't show without the space.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎09-27-2016 02:45 PM

Hi patelpin,

based on the provided examples this regex should work for you:

... | rex field=cs_uri_stem "(^\/apps\/|^\/(?!apps))(?<myFoo>[^\/]+)" | ...

Tested and working on regex101.com

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎09-27-2016 02:45 PM

Hi patelpin,

based on the provided examples this regex should work for you:

... | rex field=cs_uri_stem "(^\/apps\/|^\/(?!apps))(?<myFoo>[^\/]+)" | ...

Tested and working on regex101.com

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

patelpin
New Member
‎09-28-2016 06:32 AM

This worked exactly as I'd hoped, for about 99% of all the items. There are just a few cs_uri_stem that are like /example.gif, favicon.ico and the such. Is there any way to exclude these items?

At the moment, in my queries I can just use ... | search myFoo!="." | ...

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-28-2016 12:19 PM

Sure, just add another \/ at the end to make sure it will only match if there is a second /

 ... | rex field=cs_uri_stem "(^\/apps\/|^\/(?!apps))(?<myFoo>\w+)\/" | ...

cheers, MuS

Reply
Solved! Jump to solution

patelpin
New Member
‎09-29-2016 11:39 AM

Even better. Perfect, thank you very much.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-27-2016 01:14 PM

Can you please provide some real world sample data as text?

Reply
Solved! Jump to solution

patelpin
New Member
‎09-27-2016 02:03 PM

I can post the cs_uri_stem from several of the servers. In bold is what I'm trying to extract. Let me know if you need additional items. Not sure I'm giving everything you need. I can give full raw if you'd like. The only difference between the two is the | pipe.

Servers a,b,c:
/apps/spxss/spxquotebrowser/SPX.css
/apps/ajt/SE3SPX2COM/Spx2COM.asmx
/apps/PriceInq/Default.aspx
/apps/ordp/OrderEntry.aspx
/apps/orderalert/default.aspx
/apps/ALIS/ALIC.aspx

Servers 1,2,3:
/ECFPO/OpenPO.aspx
/ECFBWIN/Reserved.ReportViewerWebControl.axd
/open4ess/checks1.asp
/ecfordertracker/
/ECFQuoteTracker/QuoteCompleted.aspx

sourcetype=iis s_computername=Server1* | rex field=cs_uri_stem "(\/apps\/)(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test
Will give me:
spxss
ajt
PriceInq
ordp
orderalert
ALIS

sourcetype=iis s_computername=ServerA* | rex field=cs_uri_stem "(\/apps\/)|(?P< test>[\d\w]+)(\/\w+)(.*\b\w+)$" | top limit=1000 test
Will give me:
ECFPO
ECFBWIN
open4ess
ecfordertracker
ECFQuoteTracker

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...