Solved: Extract field after text

ashvini_mishra · ‎09-23-2021

Here is log example -

http://host/manager/resource_identifier/ids/getOrCreate/bulk?dscid=LuSxrA-1c42bb5b-f862-4861-892f-69320e1a59e7:200 Created:78

I need to extract string after ids/ untill first ? or :

So output would be - getOrCreate/bulk

I am trying this -

rex field=log ":(?<url>ids\/[^?: ]*)"

What am I missing?

danielcj · ‎09-23-2021

Hello,

Please, try the following:

| rex field=log "ids\/(?<url>[^\?|\:]+)"

If your "log" field is not presenting the log example that you used, you can try substitute field=log to field=_raw

View solution in original post

ashvini_mishra · ‎09-23-2021

@danielcj @ashvinpandey

Thank for your responses, this works -

I saw some of my logs don't have "ids/" in them, in that case url turns out to be blank. Here how can I perform an OR operation to calculate url as - rex field=log "com\/(?<url>[^\?|\:\/ ]+)"

That is -

if - "ids\/(?P<url>[^?:\s]+)" return blank then extract url as - "com\/(?<url>[^\?|\:\/ ]+)"

ashvinpandey · ‎09-23-2021

@ashvini_mishra Try this:

| rex field=_raw "ids\/(?P<url>.*?)\?"

if this is some fieldname then just replace _raw by your fieldname, or use the below rex:

| rex field=log "ids\/(?P<url>.*?)\?"

Also, If this reply helps you, an upvote would be appreciated.

danielcj · ‎09-23-2021

Hello,

Please, try the following:

| rex field=log "ids\/(?<url>[^\?|\:]+)"

If your "log" field is not presenting the log example that you used, you can try substitute field=log to field=_raw

Extract field after text

field extraction

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation