Solved: How can I improve my regular expression to extract...

guillecasco · ‎01-20-2017

Hey i have the following logs:

INCOMING REQUEST:
URL:  /pop/v1/enviro/2ee999b4-d97ba81bdefd/updatesearching/

i need to extract the numbers after enviro/ and before /updatesearching

i created following regular expression: REX "URL:\s\/\w+\/\w+\/\enviro/(?.*)/updatesearching/

but i'm not getting it. how can i improve the regular expression or how can i extract that number?

gokadroid · ‎01-20-2017

Can you please try this and see if it works for you:

If it's always between enviro and updatesearching:

your query to return events
|rex field=_raw "enviro\/(?<capturedNum>[^\/]+)\/updatesearching"
| table capturedNum

If the numbers of interest come always after enviro:

your query to return events
|rex field=_raw "\/enviro\/(?<capturedNum>[^\/]+)\/"
| table capturedNum

If it's always the fourth element then try this:

your query to return events
|rex field=_raw "URL:\s*\/([^\s\/]+\/){3}(?<capturedNum>[^\/]+)\/"
| table capturedNum

gokadroid · ‎01-20-2017

Can you please try this and see if it works for you:

If it's always between enviro and updatesearching:

your query to return events
|rex field=_raw "enviro\/(?<capturedNum>[^\/]+)\/updatesearching"
| table capturedNum

If the numbers of interest come always after enviro:

your query to return events
|rex field=_raw "\/enviro\/(?<capturedNum>[^\/]+)\/"
| table capturedNum

If it's always the fourth element then try this:

your query to return events
|rex field=_raw "URL:\s*\/([^\s\/]+\/){3}(?<capturedNum>[^\/]+)\/"
| table capturedNum

guillecasco · ‎01-20-2017

it worked! |rex field=_raw "enviro\/(?[^\/]+)\/updatesearching" thanks dude

guillecasco · ‎01-20-2017

what is the field=_raw does exactly. I didnt put there anything

How can I improve my regular expression to extract a field located inside a URL?