Solved: How do I extract a particular text from url/api en...

ashinde3 · ‎02-23-2022

Hi all,

So, I have this URL/API endpoint as http://xml.app.com/pay/ent/auth/service/getId and I want to extract getId for the index that has field name 'end_points' and create table for the same field name that only displays the text 'getId' rather than the entire URL. How to do it using regex in Splunk. Although, I tried something like this:

rex "^http(s)?:\W+\w+\.\w+\.com\W\w+\W\w+\W\w+\W\w+\W(?<end_points>)" | table end_points

Since, I started learning Splunk quite a few days ago, I'm new to this. Any help would be appreciated. Thanks.

PickleRick · ‎02-23-2022

You're hugely overcomplicating this.

/(?<last_component>[^/]+/?)$

And if you already have a field called endpoints, you use it like this:

rex field=endpoints "/(?<last_component>[^/]+/?)$"

View solution in original post

PickleRick · ‎02-23-2022

You're hugely overcomplicating this.

/(?<last_component>[^/]+/?)$

And if you already have a field called endpoints, you use it like this:

rex field=endpoints "/(?<last_component>[^/]+/?)$"

m_pham · ‎02-23-2022

I'm not the best at regex but I think what you're going for is this:

^\S+service\/(?<end_points>[^\s]+)

Without seeing your more of the data around the URL, it's going to be hard to help you with an accurate regex.

How do I extract a particular text from url/api endpoint using regex?

field extraction

fields

regex

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!