Splunk Search

How do I match all data after the last slash using regex?

harikishore23
New Member

Hi,

I'm trying to retrieve data using regex and wildcard.

Search query -  "URL=/data/item/v1/*/"

Result 1 - /data/item/v1/1234/on
Result 2 - /data/item/v1/1234

I want to all data between the asterix, but not after the last slash.

I'm using this regex currently, but it doesn't work.

Got the following error - Error in 'rex' command:

The regex '^(.*[\\/])' does not extract anything. It should specify at least one named group. Format: (?...).

rex field=URL "^(.*[\\\/])"

Regex works fine here - regexr . com / 43r9n

Tags (2)
0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults | eval URL="/data/item/v1/1234/on:::/data/item/v1/1234"
| fields - _time
| makemv delim=":::" URL
| mvexpand URL

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex field=URL "^(?:\/[^\/]+){3}\/(?<foo>.*)(?:\/[^\/]*)?"
0 Karma

dkeck
Influencer

As said in the error you are missing a named group

You have to specify the name of the field you want to extract the data to

syntax (?<name_of_field>)

Try ^(?<name_of_field>.*[\\\/])

Kind Regards

dkeck
Influencer

Please accept if this helped

0 Karma

harikishore23
New Member

Hi,

I'm getting the following error when using using this search pattern with your code.

| rex field=URL "^(?.*[\\/])"

Encountered the following error while compiling the regex '^(?.*[\/])': Regex: unrecognized character after (? or (?-

Thanks.

0 Karma

dkeck
Influencer

sry I did not use the code sample so my answer got changed:

^(?<name_of_field>.*[\\\/])

try this

0 Karma

ddrillic
Ultra Champion

It works ; -) you can try -

index=<any index>
| eval _raw="/data/item/v1/1234/on"
| rex field=_raw "^(?<name_of_field>.*[\\\/])"
0 Karma

ddrillic
Ultra Champion

A cute demonstration of the greediness of this regular expression ; -)

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...