Solved: How do I extract a particular text from url/api en...

ashinde3 · ‎02-23-2022

Hi all,

So, I have this URL/API endpoint as http://xml.app.com/pay/ent/auth/service/getId and I want to extract getId for the index that has field name 'end_points' and create table for the same field name that only displays the text 'getId' rather than the entire URL. How to do it using regex in Splunk. Although, I tried something like this:

rex "^http(s)?:\W+\w+\.\w+\.com\W\w+\W\w+\W\w+\W\w+\W(?<end_points>)" | table end_points

Since, I started learning Splunk quite a few days ago, I'm new to this. Any help would be appreciated. Thanks.

PickleRick · ‎02-23-2022

You're hugely overcomplicating this.

/(?<last_component>[^/]+/?)$

And if you already have a field called endpoints, you use it like this:

rex field=endpoints "/(?<last_component>[^/]+/?)$"

View solution in original post

PickleRick · ‎02-23-2022

You're hugely overcomplicating this.

/(?<last_component>[^/]+/?)$

And if you already have a field called endpoints, you use it like this:

rex field=endpoints "/(?<last_component>[^/]+/?)$"

m_pham · ‎02-23-2022

I'm not the best at regex but I think what you're going for is this:

^\S+service\/(?<end_points>[^\s]+)

Without seeing your more of the data around the URL, it's going to be hard to help you with an accurate regex.

How do I extract a particular text from url/api endpoint using regex?

field extraction

fields

regex

rex

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?