Hi,
I have this data
{"method":"GET","url":"/rest/icontrol/logout","params":{},"requestStartTime":1548363789220,"responseStatus":401,"success":false,"responseTime":1548363789372}
--and--
{"method":"DELETE","url":"/rest/abortasync/icontrol/sites/630555/abortdeltas","params":{"spsId":95645},"requestStartTime":1548363788415,"responseStatus":401,"success":false,"responseTime":1548363788699}
I need to extract the logout from the first event and abortdeltas from the second event. Essentially the word after the last forward slash or the word before params
Any thoughts?
You can use something similar as in my example search-
|makeresults| eval x1="/rest/icontrol/logout" | appendpipe[|eval x1="/rest/abortasync/icontrol/sites/630555/abortdeltas"]| rex field=x1 "\/rest\S+\/(?<word>\S+)"
I got the below to work in regex101 but it doesn't work in splunk
^(.*[\\\/])(?<lword>)\w+
index="wholesale_app" analyticType=CustomAnalytic Properties.index=33 false|regex "^(.*[\\\/])(?<lword>)\w+"|stats count by lword
The above doesn't work
You can use something similar as in my example search-
|makeresults| eval x1="/rest/icontrol/logout" | appendpipe[|eval x1="/rest/abortasync/icontrol/sites/630555/abortdeltas"]| rex field=x1 "\/rest\S+\/(?<word>\S+)"
@dbcase - If you are not sure of word rest in your data, you can just use rex field=x1 "\/\S+\/(?<word>\S+)