Splunk Search

How can I improve my regular expression to extract a field located inside a URL?

guillecasco
Path Finder

Hey i have the following logs:

INCOMING REQUEST:
URL:  /pop/v1/enviro/2ee999b4-d97ba81bdefd/updatesearching/

i need to extract the numbers after enviro/ and before /updatesearching

i created following regular expression: REX "URL:\s\/\w+\/\w+\/\enviro/(?.*)/updatesearching/

but i'm not getting it. how can i improve the regular expression or how can i extract that number?

0 Karma
1 Solution

gokadroid
Motivator

Can you please try this and see if it works for you:

If it's always between enviro and updatesearching:

your query to return events
|rex field=_raw "enviro\/(?<capturedNum>[^\/]+)\/updatesearching"
| table capturedNum

If the numbers of interest come always after enviro:

your query to return events
|rex field=_raw "\/enviro\/(?<capturedNum>[^\/]+)\/"
| table capturedNum

If it's always the fourth element then try this:

your query to return events
|rex field=_raw "URL:\s*\/([^\s\/]+\/){3}(?<capturedNum>[^\/]+)\/"
| table capturedNum

View solution in original post

gokadroid
Motivator

Can you please try this and see if it works for you:

If it's always between enviro and updatesearching:

your query to return events
|rex field=_raw "enviro\/(?<capturedNum>[^\/]+)\/updatesearching"
| table capturedNum

If the numbers of interest come always after enviro:

your query to return events
|rex field=_raw "\/enviro\/(?<capturedNum>[^\/]+)\/"
| table capturedNum

If it's always the fourth element then try this:

your query to return events
|rex field=_raw "URL:\s*\/([^\s\/]+\/){3}(?<capturedNum>[^\/]+)\/"
| table capturedNum

guillecasco
Path Finder

it worked! |rex field=_raw "enviro\/(?[^\/]+)\/updatesearching" thanks dude

0 Karma

guillecasco
Path Finder

what is the field=_raw does exactly. I didnt put there anything

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...