Solved: Extract Second field from url

michaelrodr · ‎01-22-2020

AbsoluteUri=https://website.api.net/hch6348/relay/6bcb449b-7d85-4f71-a6f4-fae37808627f-udcc1.crp.hs.com/script/w...
AbsoluteUri=https://website.api.net/hch6348/health

I have a field with a uri that looks like either of the above. I want to extract the word "relay" or "health" from the url into a field called apiEndpoint.

I've tried piping the field into this regex, but I cannot get it right: | rex "AbsoluteUri\":\"((\/.+?)(\/.+?)?<apiEndpoint>\/?)"

I have not been able to find an example like this on the Splunk forums. Any help would be appreciated

richgalloway · ‎01-22-2020

This should do it.

... | rex "AbsoluteUri=https:\/\/[^\/]+\/[^\/]+\/(?<apiEndpoint>[^\/]+|$)"

Also, the URL Toolbox app may be helpful.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-22-2020

This should do it.

... | rex "AbsoluteUri=https:\/\/[^\/]+\/[^\/]+\/(?<apiEndpoint>[^\/]+|$)"

Also, the URL Toolbox app may be helpful.

---
If this reply helps you, Karma would be appreciated.

michaelrodr · ‎01-22-2020

Thank you so much! This worked perfectly for me. Accepted answer

michaelrodr · ‎01-22-2020

As far as the URL toolbox, I don't have control over my company's Splunk deployment, so I can't install that. It does seem very helpful though, I've seen it recommended a ton of places

Anantha123 · ‎01-22-2020

Try this

| rex field=AbsoluteUri "https://\w+.\w+\w/\w+/(?<uri>[^(\/)|(\s)]+)" | table uri

michaelrodr · ‎01-22-2020

I'm sorry, this didn't work for me. I accepted richgalloway's answer.

Extract Second field from url

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All