Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me extract some data with regex?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
01-24-2019
01:08 PM
Hi,
I have this data
{"method":"GET","url":"/rest/icontrol/logout","params":{},"requestStartTime":1548363789220,"responseStatus":401,"success":false,"responseTime":1548363789372}
--and--
{"method":"DELETE","url":"/rest/abortasync/icontrol/sites/630555/abortdeltas","params":{"spsId":95645},"requestStartTime":1548363788415,"responseStatus":401,"success":false,"responseTime":1548363788699}
I need to extract the logout from the first event and abortdeltas from the second event. Essentially the word after the last forward slash or the word before params
Any thoughts?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
01-24-2019
01:17 PM
You can use something similar as in my example search-
|makeresults| eval x1="/rest/icontrol/logout" | appendpipe[|eval x1="/rest/abortasync/icontrol/sites/630555/abortdeltas"]| rex field=x1 "\/rest\S+\/(?<word>\S+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
01-24-2019
01:17 PM
I got the below to work in regex101 but it doesn't work in splunk
^(.*[\\\/])(?<lword>)\w+
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
01-24-2019
01:18 PM
index="wholesale_app" analyticType=CustomAnalytic Properties.index=33 false|regex "^(.*[\\\/])(?<lword>)\w+"|stats count by lword
The above doesn't work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
01-24-2019
01:17 PM
You can use something similar as in my example search-
|makeresults| eval x1="/rest/icontrol/logout" | appendpipe[|eval x1="/rest/abortasync/icontrol/sites/630555/abortdeltas"]| rex field=x1 "\/rest\S+\/(?<word>\S+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
01-24-2019
01:22 PM
@dbcase - If you are not sure of word rest in your data, you can just use rex field=x1 "\/\S+\/(?<word>\S+)
Get Updates on the Splunk Community!
Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...
If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...
Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions
Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
