Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I match all data after the last slash using regex?

harikishore23
New Member
‎11-27-2018 12:59 AM

Hi,

I'm trying to retrieve data using regex and wildcard.

Search query -  "URL=/data/item/v1/*/"

Result 1 - /data/item/v1/1234/on
Result 2 - /data/item/v1/1234

I want to all data between the asterix, but not after the last slash.

I'm using this regex currently, but it doesn't work.

Got the following error - Error in 'rex' command: 

The regex '^(.*[\\/])' does not extract anything. It should specify at least one named group. Format: (?...).

rex field=URL "^(.*[\\\/])"

Regex works fine here - regexr . com / 43r9n

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-28-2018 08:20 PM

Like this:

| makeresults | eval URL="/data/item/v1/1234/on:::/data/item/v1/1234"
| fields - _time
| makemv delim=":::" URL
| mvexpand URL

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex field=URL "^(?:\/[^\/]+){3}\/(?<foo>.*)(?:\/[^\/]*)?"
0 Karma
Reply

dkeck
Influencer
‎11-27-2018 04:42 AM

As said in the error you are missing a named group

You have to specify the name of the field you want to extract the data to

syntax (?<name_of_field>)

Try ^(?<name_of_field>.*[\\\/])

Kind Regards

Reply

dkeck
Influencer
‎12-06-2018 12:30 AM

Please accept if this helped

0 Karma
Reply

harikishore23
New Member
‎11-27-2018 04:56 AM

Hi,

I'm getting the following error when using using this search pattern with your code.

| rex field=URL "^(?.*[\\/])"

Encountered the following error while compiling the regex '^(?.*[\/])': Regex: unrecognized character after (? or (?-

Thanks.

0 Karma
Reply

dkeck
Influencer
‎11-27-2018 04:58 AM

sry I did not use the code sample so my answer got changed:

^(?<name_of_field>.*[\\\/])

try this

0 Karma
Reply

ddrillic
Ultra Champion
‎11-28-2018 06:13 PM

It works ; -) you can try - 

index=<any index>
| eval _raw="/data/item/v1/1234/on"
| rex field=_raw "^(?<name_of_field>.*[\\\/])"
0 Karma
Reply

ddrillic
Ultra Champion
‎11-28-2018 03:31 PM

A cute demonstration of the greediness of this regular expression ; -)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...