Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I match all data after the last slash u...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I match all data after the last slash using regex?
harikishore23
New Member
11-27-2018
12:59 AM
Hi,
I'm trying to retrieve data using regex and wildcard.
Search query - "URL=/data/item/v1/*/"
Result 1 - /data/item/v1/1234/on
Result 2 - /data/item/v1/1234
I want to all data between the asterix, but not after the last slash.
I'm using this regex currently, but it doesn't work.
Got the following error - Error in 'rex' command:
The regex '^(.*[\\/])' does not extract anything. It should specify at least one named group. Format: (?...).
rex field=URL "^(.*[\\\/])"
Regex works fine here - regexr . com / 43r9n
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-28-2018
08:20 PM
Like this:
| makeresults | eval URL="/data/item/v1/1234/on:::/data/item/v1/1234"
| fields - _time
| makemv delim=":::" URL
| mvexpand URL
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex field=URL "^(?:\/[^\/]+){3}\/(?<foo>.*)(?:\/[^\/]*)?"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkeck
Influencer
11-27-2018
04:42 AM
As said in the error you are missing a named group
You have to specify the name of the field you want to extract the data to
syntax (?<name_of_field>)
Try ^(?<name_of_field>.*[\\\/])
Kind Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkeck
Influencer
12-06-2018
12:30 AM
Please accept if this helped
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harikishore23
New Member
11-27-2018
04:56 AM
Hi,
I'm getting the following error when using using this search pattern with your code.
| rex field=URL "^(?.*[\\/])"
Encountered the following error while compiling the regex '^(?.*[\/])': Regex: unrecognized character after (? or (?-
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkeck
Influencer
11-27-2018
04:58 AM
sry I did not use the code sample so my answer got changed:
^(?<name_of_field>.*[\\\/])
try this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
11-28-2018
06:13 PM
It works ; -) you can try -
index=<any index>
| eval _raw="/data/item/v1/1234/on"
| rex field=_raw "^(?<name_of_field>.*[\\\/])"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
11-28-2018
03:31 PM
A cute demonstration of the greediness of this regular expression ; -)
Get Updates on the Splunk Community!
Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination
Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...
Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar
Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Splunk ITSI & Correlated Network Visibility
Now On Demand
Take Your Network Visibility to the Next Level
In today’s complex IT environments, ...
