Hi all,
So, I have this URL/API endpoint as http://xml.app.com/pay/ent/auth/service/getId and I want to extract getId for the index that has field name 'end_points' and create table for the same field name that only displays the text 'getId' rather than the entire URL. How to do it using regex in Splunk. Although, I tried something like this:
rex "^http(s)?:\W+\w+\.\w+\.com\W\w+\W\w+\W\w+\W\w+\W(?<end_points>)" | table end_points
Since, I started learning Splunk quite a few days ago, I'm new to this. Any help would be appreciated. Thanks.
You're hugely overcomplicating this.
/(?<last_component>[^/]+/?)$
And if you already have a field called endpoints, you use it like this:
rex field=endpoints "/(?<last_component>[^/]+/?)$"
You're hugely overcomplicating this.
/(?<last_component>[^/]+/?)$
And if you already have a field called endpoints, you use it like this:
rex field=endpoints "/(?<last_component>[^/]+/?)$"
I'm not the best at regex but I think what you're going for is this:
^\S+service\/(?<end_points>[^\s]+)
Without seeing your more of the data around the URL, it's going to be hard to help you with an accurate regex.