Splunk Search

How do I edit my regular expression to search for a question mark in a string?

dbcase
Motivator

Hi,

I'm having a dickens of a time trying to figure out how to use a question mark as the termination of a search for regex. My data looks like this

####     <[ACTIVE] ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1470912327355>  <[STUCK] ExecuteThread: '18' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy for "662" seconds working on the request "Workmanager: mediaUpload-workManager, Version: 0, Scheduled=true, Started=true, Started time: 662872 ms
[
POST /cameraProxy/video?token=MTE0NTg5OjExNDU4OS4xNDcwMzgzNzc1OjExNDU4OS4zOjExNDU4OV83ODAzNDM2NTE3X3ZfMTM2NF80MjM4MjUwOTo2MDAyNTM= HTTP/1.1

And I'm trying to match on the ? just at the end of the /cameraProxy/video URL. My umpteenth try at the regex looks like this

GET\s|POST\s+(?<status>\/\w+\/\w+)

Which works, but if the URL is digits instead of a word, it wouldn't match. Ideally I'd like to search for the GET / POST, then the space, then match everything up to the ? mark.

0 Karma
1 Solution

sundareshr
Legend

Try this

 GET\s|POST\s+(?<status>\/[^\?]+)

View solution in original post

sundareshr
Legend

Try this

 GET\s|POST\s+(?<status>\/[^\?]+)

dbcase
Motivator

One day my goal is to be as smart as you Sundareshr! :slightly_smiling_face:

sundareshr
Legend

Your goal is very near, my friend :slightly_smiling_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...