Solved: Re: Check a field

graziaedu · ‎10-08-2021

Hello,

I have a field with this values

/v1/accounts/96ea01b5-7ea7-4dc6-b534-39ae8b114bba/transactions
/v1/accounts/ff572b85-c3c6-4e54-8343-75c5aa954285
/v1/accounts/469754d0-9169-45ca-af86-a885142d6ad4/transactions
/v1/accounts/c68b8246-bd76-4d34-9d33-7fb4be4ebe9f/limits
/v1/accounts/d9f1e948-e9aa-4a46-9e78-deeaf1d21143/limits
/v1/accounts/f6fa235c-858d-42d2-80ae-85b12a750351
/v1/accounts/f4a0877f-5807-41ed-b7ee-c6be2e4e25be
/v1/accounts/042c6b58-ea01-48cd-838e-06929b427f75

I need a query that show me only the lines that doesn't have nothing after the ID.
Exemple
/v1/accounts/ff572b85-c3c6-4e54-8343-75c5aa954285
/v1/accounts/f6fa235c-858d-42d2-80ae-85b12a750351
/v1/accounts/f4a0877f-5807-41ed-b7ee-c6be2e4e25be
/v1/accounts/042c6b58-ea01-48cd-838e-06929b427f75

Thanks

richgalloway · ‎10-08-2021

This regex command should filter the right events. Replace <<field>> with the actual name of the field.

... | regex <<field>>="\/\w+\/\w+\/[^\/]+$"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

somesoni2 · ‎10-08-2021

Try something like this

your base search fetching field with those values
| where match(YourFieldName,"(\/[^\/]+){2}\/\w{8}-\w{4}\w{4}-\w{4}-\w{8}$")

ashvinpandey · ‎10-08-2021

@graziaedu Try using the below command:

| rex field=field_name "\/\w+\/\w+\/(?P<field_name>.*?)\/"

NOTE: Change the field_name in the above command with your field name.
Also, If this reply helps you a thumbs-up would be appreciated.

richgalloway · ‎10-08-2021

This regex command should filter the right events. Replace <<field>> with the actual name of the field.

... | regex <<field>>="\/\w+\/\w+\/[^\/]+$"

---
If this reply helps you, Karma would be appreciated.

graziaedu · ‎10-08-2021

Thanks

Check a field

other

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes