Splunk Search

Extract field after text

ashvini_mishra
Explorer

Here is log example - 

http://host/manager/resource_identifier/ids/getOrCreate/bulk?dscid=LuSxrA-1c42bb5b-f862-4861-892f-69320e1a59e7:200 Created:78

I need to extract string after ids/ untill first ? or : 

So output would be - getOrCreate/bulk

I am trying this - 

rex field=log ":(?<url>ids\/[^?: ]*)"

 

What am I missing?

Labels (2)
0 Karma
1 Solution

danielcj
Communicator

Hello,

Please, try the following:

| rex field=log "ids\/(?<url>[^\?|\:]+)"

 

If your "log" field is not presenting the log example that you used, you can try substitute field=log to field=_raw

View solution in original post

ashvini_mishra
Explorer

@danielcj  @ashvinpandey  

Thank for your responses, this works - 

I saw some of my logs don't have "ids/" in them, in that case url turns out to be blank. Here how  can I perform an OR operation to calculate url as -   rex field=log "com\/(?<url>[^\?|\:\/ ]+)"

That is - 

if  -  "ids\/(?P<url>[^?:\s]+)" return blank then extract url as -  "com\/(?<url>[^\?|\:\/ ]+)"

0 Karma

ashvinpandey
Contributor

@ashvini_mishra Try this:

| rex field=_raw "ids\/(?P<url>.*?)\?"

 

if this is some fieldname then just replace _raw by your fieldname, or use the below rex:

 

| rex field=log "ids\/(?P<url>.*?)\?"

 

Also, If this reply helps you, an upvote would be appreciated.

danielcj
Communicator

Hello,

Please, try the following:

| rex field=log "ids\/(?<url>[^\?|\:]+)"

 

If your "log" field is not presenting the log example that you used, you can try substitute field=log to field=_raw

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...