Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting field using rex for URL

JoshuaJohn
Contributor
‎08-15-2016 07:22 AM

I have this search:

index=nitro_prod_ecomm sourcetype = nitro_access_log earliest=-30m@m | rex field=_raw "\d\d\:\d\d\:\d\d\s+(?\d+\.\d+)" | search ResponseTime>1

That gives me results like this:

10.022.020.203  10.200.130.180:7001 -   2016-08-15  01:09:02    4.55    GET   /product/nitro?skuId=11023031 skuId=11023031  200 124221]"

10.402.300.103  10.200.111.116:7001 -   2016-08-15  01:09:00    6.033   POST /myaccount/json/acc_nitro_login_json.jsp   -   302 0]"

I want to get "product" & "myaccount" into a field called page, basically whatever that first word is after GET, and POST

Any solutions? I can get the entire URL but I am unsure as to how to get just that first part.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎08-15-2016 07:42 AM

Try this

... | rex (?<page>(GET|POST)\s+\/(\w+))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎08-15-2016 07:42 AM

Try this

... | rex (?<page>(GET|POST)\s+\/(\w+))

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...