Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I match all data after the last slash using regex?

harikishore23
New Member
‎11-27-2018 12:59 AM

Hi,

I'm trying to retrieve data using regex and wildcard.

Search query -  "URL=/data/item/v1/*/"

Result 1 - /data/item/v1/1234/on
Result 2 - /data/item/v1/1234

I want to all data between the asterix, but not after the last slash.

I'm using this regex currently, but it doesn't work.

Got the following error - Error in 'rex' command: 

The regex '^(.*[\\/])' does not extract anything. It should specify at least one named group. Format: (?...).

rex field=URL "^(.*[\\\/])"

Regex works fine here - regexr . com / 43r9n

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-28-2018 08:20 PM

Like this:

| makeresults | eval URL="/data/item/v1/1234/on:::/data/item/v1/1234"
| fields - _time
| makemv delim=":::" URL
| mvexpand URL

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex field=URL "^(?:\/[^\/]+){3}\/(?<foo>.*)(?:\/[^\/]*)?"
0 Karma
Reply

dkeck
Influencer
‎11-27-2018 04:42 AM

As said in the error you are missing a named group

You have to specify the name of the field you want to extract the data to

syntax (?<name_of_field>)

Try ^(?<name_of_field>.*[\\\/])

Kind Regards

Reply

dkeck
Influencer
‎12-06-2018 12:30 AM

Please accept if this helped

0 Karma
Reply

harikishore23
New Member
‎11-27-2018 04:56 AM

Hi,

I'm getting the following error when using using this search pattern with your code.

| rex field=URL "^(?.*[\\/])"

Encountered the following error while compiling the regex '^(?.*[\/])': Regex: unrecognized character after (? or (?-

Thanks.

0 Karma
Reply

dkeck
Influencer
‎11-27-2018 04:58 AM

sry I did not use the code sample so my answer got changed:

^(?<name_of_field>.*[\\\/])

try this

0 Karma
Reply

ddrillic
Ultra Champion
‎11-28-2018 06:13 PM

It works ; -) you can try - 

index=<any index>
| eval _raw="/data/item/v1/1234/on"
| rex field=_raw "^(?<name_of_field>.*[\\\/])"
0 Karma
Reply

ddrillic
Ultra Champion
‎11-28-2018 03:31 PM

A cute demonstration of the greediness of this regular expression ; -)

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...