Solved: Extract string between 2 string

serviceinfrastr · ‎08-23-2018

Hi Community,

I have a question about regex and extraction

I want to extract only the string between /var/log/nginx/access_ and .log

I already tried many regex en mod=sed but i don't find the right regex.

Can you help me ?

Many thanks

richgalloway · ‎08-23-2018

If you just need to extract a string then you don't need sed as that is for modifying strings.
Try this:

host=dnginx* NOT source="/var/log/nginx/access.log" NOT source="/var/log/nginx/error.log" | rex field=source "access_(?<string>[^\.]+)" | chart count by string | rename url_short as URL

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

mstjohn_splunk · ‎08-23-2018

Hi @serviceinfrastructure - Did your answer provide a working solution to your question? If yes, don't forget to click "Accept" to close out your question so that others can easily find it if they are having the same issue. Thanks!

richgalloway · ‎08-23-2018

If you just need to extract a string then you don't need sed as that is for modifying strings.
Try this:

host=dnginx* NOT source="/var/log/nginx/access.log" NOT source="/var/log/nginx/error.log" | rex field=source "access_(?<string>[^\.]+)" | chart count by string | rename url_short as URL

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

sudosplunk · ‎08-23-2018

Try this. Add this to your search,

search...| rex field=source "\/var\/log\/nginx\/access\_(?<string>\S+)\.log" | table string

Tested regex here.

sudosplunk · ‎08-23-2018

@serviceinfrastructure ,

You can use regex given by @richgalloway, as it takes, 13 steps to match the pattern and mine takes 38 steps. However, if you have many sources with access_ in the value, then you might want to be more specific in defining regex.

renjith_nair · ‎08-23-2018

@serviceinfrastructure,

Try

 |rex  field=URL "^/\w+/\w+/\w+/\w+_(?P<my_string>[^\.]+)"|table my_string