Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract Field URL

erick_costa
Path Finder
‎04-26-2013 05:21 AM

How to do rex to extract field URL eg.: http://www.gnookcooki.com.br

1366974288.183 102 178.19.3.199 TCP_REFRESH_HIT/200 174 GET http://www.gnookcooki.com.br/images/hat_orange_big.gif teste@teste.com DIRECT/www.gnookcooki.com.br/image/gif
1366974288.184 102 178.19.3.199 TCP_REFRESH_HIT/200 174 GET http://www.gnookcooki.com.br/images-files/hat_orange.jpg teste@teste.com DIRECT/www.gnookcooki.com.br/image/gif

Tags (2)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎04-26-2013 05:38 AM

your_search | rex field=_raw "(GET|POST|DELETE|PUT)\s*(?<url>[^\s]*)"

Although, this looks like access_combined, some items should be extracted for you already.

Reply

bmacias84
Champion
‎04-26-2013 08:32 AM

Here another one that may work for you as well.
(?<uri>(https?|ftp)://[a-zA-Z0-9.\-_]+/[a-zA-Z0-9+&@#/%=~_\-|!:,.;]*)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...