Splunk Search

Extract string between 2 string

Hi Community,

I have a question about regex and extraction

I want to extract only the string between /var/log/nginx/access_ and .log

alt text

I already tried many regex en mod=sed but i don't find the right regex.

Can you help me ?

Many thanks

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

If you just need to extract a string then you don't need sed as that is for modifying strings.
Try this:

host=dnginx* NOT source="/var/log/nginx/access.log" NOT source="/var/log/nginx/error.log" | rex field=source "access_(?<string>[^\.]+)" | chart count by string | rename url_short as URL
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi @serviceinfrastructure - Did your answer provide a working solution to your question? If yes, don't forget to click "Accept" to close out your question so that others can easily find it if they are having the same issue. Thanks!

0 Karma

SplunkTrust
SplunkTrust

If you just need to extract a string then you don't need sed as that is for modifying strings.
Try this:

host=dnginx* NOT source="/var/log/nginx/access.log" NOT source="/var/log/nginx/error.log" | rex field=source "access_(?<string>[^\.]+)" | chart count by string | rename url_short as URL
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Motivator

Try this. Add this to your search,

search...| rex field=source "\/var\/log\/nginx\/access\_(?<string>\S+)\.log" | table string

Tested regex here.

0 Karma

Motivator

@serviceinfrastructure ,

You can use regex given by @richgalloway, as it takes, 13 steps to match the pattern and mine takes 38 steps. However, if you have many sources with access_ in the value, then you might want to be more specific in defining regex.

0 Karma

SplunkTrust
SplunkTrust

@serviceinfrastructure,

Try

 |rex  field=URL "^/\w+/\w+/\w+/\w+_(?P<my_string>[^\.]+)"|table my_string
0 Karma