Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Check a field

graziaedu
Explorer
‎10-08-2021 06:47 AM

Hello,

I have a field with this values

/v1/accounts/96ea01b5-7ea7-4dc6-b534-39ae8b114bba/transactions
/v1/accounts/ff572b85-c3c6-4e54-8343-75c5aa954285
/v1/accounts/469754d0-9169-45ca-af86-a885142d6ad4/transactions
/v1/accounts/c68b8246-bd76-4d34-9d33-7fb4be4ebe9f/limits
/v1/accounts/d9f1e948-e9aa-4a46-9e78-deeaf1d21143/limits
/v1/accounts/f6fa235c-858d-42d2-80ae-85b12a750351
/v1/accounts/f4a0877f-5807-41ed-b7ee-c6be2e4e25be
/v1/accounts/042c6b58-ea01-48cd-838e-06929b427f75

I need a query that show me only the lines that doesn't have nothing after the ID.
Exemple
 /v1/accounts/ff572b85-c3c6-4e54-8343-75c5aa954285
/v1/accounts/f6fa235c-858d-42d2-80ae-85b12a750351
/v1/accounts/f4a0877f-5807-41ed-b7ee-c6be2e4e25be
/v1/accounts/042c6b58-ea01-48cd-838e-06929b427f75

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2021 07:13 AM

This regex command should filter the right events.  Replace <<field>> with the actual name of the field.

 

... | regex <<field>>="\/\w+\/\w+\/[^\/]+$"

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-08-2021 07:44 AM

Try something like this

your base search fetching field with those values
| where match(YourFieldName,"(\/[^\/]+){2}\/\w{8}-\w{4}\w{4}-\w{4}-\w{8}$")
Reply
Solved! Jump to solution

ashvinpandey
Contributor
‎10-08-2021 07:22 AM

@graziaedu Try using the below command:

 

| rex field=field_name "\/\w+\/\w+\/(?P<field_name>.*?)\/"

 

NOTE: Change the field_name in the above command with your field name.
Also, If this reply helps you a thumbs-up would be appreciated.

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2021 07:13 AM

This regex command should filter the right events.  Replace <<field>> with the actual name of the field.

 

... | regex <<field>>="\/\w+\/\w+\/[^\/]+$"

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

graziaedu
Explorer
‎10-08-2021 07:51 AM

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...