Splunk Search

Help with Regex

Communicator

Hello,

With my virtually non existent skills around regex I am struggling to get an extraction to work 😞

I am trying to extract some text after the third / as per the below
[http://10.91.11.47:1200/WMB_SAFIRE_INT/BCSWebservice/services/ProcessQuoteMB]

The text I want to extract is everything after the 3rd / so WMB_SAFIRE_INT/BCSWebservice/services/ProcessQuoteMB (the text content & length can vary but the start and end point of the text is consistent in that it starts with [http:// and ends with ]).
The result is then piped to a field(?) called WS (?)

Any help or pointers would be very much appreciated

Cheers,

Alastair

Tags (1)
0 Karma
1 Solution

Contributor

Very rough attempt below. It should create a new field called WS, but it is specifially setup for 2 digit ip, you can change that to suit your setup

rex  field=fieldname  "\[http\:\/\/[0-9]{2}\.[0-9]{2}\.[0-9]{2}\.[0-9]{2}\:[0-9]{4}\/(?<WS>\S+)*\]"

View solution in original post

Contributor

Very rough attempt below. It should create a new field called WS, but it is specifially setup for 2 digit ip, you can change that to suit your setup

rex  field=fieldname  "\[http\:\/\/[0-9]{2}\.[0-9]{2}\.[0-9]{2}\.[0-9]{2}\:[0-9]{4}\/(?<WS>\S+)*\]"

View solution in original post

Communicator

Fantastic.. works a treat. Thank you so much.

Cheers,

Alastair

0 Karma

Builder

Hi Alastair,
You should use the following regex for your field due to the fact that IP's can be 3 digit.

rex field=fieldname "\[http\:\/\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\:[0-9]+\/(?<WS>\S+)*\]"

The + quantifier in essence says Any amount of any number in the range of 0 - 9

This should work, I haven't had a chance to test it, but I'm pretty sure it would work.

0 Karma