Splunk Search

How do I edit my regular expression to extract a field from my sample log event?

namritha
Path Finder

Hi,
I am trying to extract a field from a log event, but need help as my RegEx seems to be wrong.

Input string:

2011-07-11 14:45:59,965 | PERF  | [http-jboss-vm-a1b25.prod.v3-nonpid-brown.cloud.ab.com/12.47.5.87:8223-34] | [com.ab.fap.webser.client.RestServiceClient] | [0b108g34-9529-707c-6e2c-fd510206d1md] | [] | TIME: (0) 2011/07/11 14:45:59:943 to 14:45:59:965 19 ms. https://abcdefapi.ab.com/v4/sof/bcp/{ssf_nuid}

Regular expression used: ^(?:[^:\n]*:){10}\d+\s+\d+\s+\w+\.\s+

The regular expression matches the string up to ms as given below,

alt text

I want to extract anything after ms i.e. the value "https://abcdefapi.ab.com/v4/sof/bcp/{ssf_nuid}" in this case.
Please tell me what is incorrect in the below command or what the correct command is.

Command used:
source="abc.log"|rex field=_raw "^(?:[^:\n]*:){10}\d+\s+\d+\s+\w+\.\s+(?P)\w+" does not extract

NOTE: All field values have been changed to dummy values and do not represent the real configurations.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You're falling into the common trap of trying to match more than is necessary. If you're only interested in the URL, then write a regex for a URL. This works with your sample.

source="abc.log" | rex "(?<url>http[s]:\/\/.*)" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

sundareshr
Legend

If you just want to capture everything after ms till the end, you can use this regex

\d+\s+ms\.\s+(?<url>.*)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You're falling into the common trap of trying to match more than is necessary. If you're only interested in the URL, then write a regex for a URL. This works with your sample.

source="abc.log" | rex "(?<url>http[s]:\/\/.*)" | ...
---
If this reply helps you, Karma would be appreciated.

MuS
SplunkTrust
SplunkTrust

upvote on this, because it matches in less steps and therefore is much faster 😉

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...