Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I match all data after the last slash using...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I match all data after the last slash using regex?
harikishore23
New Member
11-27-2018
12:59 AM
Hi,
I'm trying to retrieve data using regex and wildcard.
Search query - "URL=/data/item/v1/*/"
Result 1 - /data/item/v1/1234/on
Result 2 - /data/item/v1/1234
I want to all data between the asterix, but not after the last slash.
I'm using this regex currently, but it doesn't work.
Got the following error - Error in 'rex' command:
The regex '^(.*[\\/])' does not extract anything. It should specify at least one named group. Format: (?...).
rex field=URL "^(.*[\\\/])"
Regex works fine here - regexr . com / 43r9n
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-28-2018
08:20 PM
Like this:
| makeresults | eval URL="/data/item/v1/1234/on:::/data/item/v1/1234"
| fields - _time
| makemv delim=":::" URL
| mvexpand URL
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex field=URL "^(?:\/[^\/]+){3}\/(?<foo>.*)(?:\/[^\/]*)?"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkeck
Influencer
11-27-2018
04:42 AM
As said in the error you are missing a named group
You have to specify the name of the field you want to extract the data to
syntax (?<name_of_field>)
Try ^(?<name_of_field>.*[\\\/])
Kind Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkeck
Influencer
12-06-2018
12:30 AM
Please accept if this helped
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harikishore23
New Member
11-27-2018
04:56 AM
Hi,
I'm getting the following error when using using this search pattern with your code.
| rex field=URL "^(?.*[\\/])"
Encountered the following error while compiling the regex '^(?.*[\/])': Regex: unrecognized character after (? or (?-
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkeck
Influencer
11-27-2018
04:58 AM
sry I did not use the code sample so my answer got changed:
^(?<name_of_field>.*[\\\/])
try this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
11-28-2018
06:13 PM
It works ; -) you can try -
index=<any index>
| eval _raw="/data/item/v1/1234/on"
| rex field=_raw "^(?<name_of_field>.*[\\\/])"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
11-28-2018
03:31 PM
A cute demonstration of the greediness of this regular expression ; -)
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
