Solved: Extract field after text

ashvini_mishra · ‎09-23-2021

Here is log example -

http://host/manager/resource_identifier/ids/getOrCreate/bulk?dscid=LuSxrA-1c42bb5b-f862-4861-892f-69320e1a59e7:200 Created:78

I need to extract string after ids/ untill first ? or :

So output would be - getOrCreate/bulk

I am trying this -

rex field=log ":(?<url>ids\/[^?: ]*)"

What am I missing?

danielcj · ‎09-23-2021

Hello,

Please, try the following:

| rex field=log "ids\/(?<url>[^\?|\:]+)"

If your "log" field is not presenting the log example that you used, you can try substitute field=log to field=_raw

View solution in original post

ashvini_mishra · ‎09-23-2021

@danielcj @ashvinpandey

Thank for your responses, this works -

I saw some of my logs don't have "ids/" in them, in that case url turns out to be blank. Here how can I perform an OR operation to calculate url as - rex field=log "com\/(?<url>[^\?|\:\/ ]+)"

That is -

if - "ids\/(?P<url>[^?:\s]+)" return blank then extract url as - "com\/(?<url>[^\?|\:\/ ]+)"

ashvinpandey · ‎09-23-2021

@ashvini_mishra Try this:

| rex field=_raw "ids\/(?P<url>.*?)\?"

if this is some fieldname then just replace _raw by your fieldname, or use the below rex:

| rex field=log "ids\/(?P<url>.*?)\?"

Also, If this reply helps you, an upvote would be appreciated.

danielcj · ‎09-23-2021

Hello,

Please, try the following:

| rex field=log "ids\/(?<url>[^\?|\:]+)"

If your "log" field is not presenting the log example that you used, you can try substitute field=log to field=_raw

Extract field after text

field extraction

rex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!