Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How extract URI using regex?

karthi2809
Builder
‎01-15-2018 09:51 PM

I need to extract fields which mentioned in yellow?

alt text

Preview file
43 KB
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-15-2018 10:17 PM

You can try the following...

(?<capture1>\/(\w+\/){3})\d+\/(?<capture2>\w+)\/.*\/(?<capture3>\w+)

In SPL... 

| makeresults 
| eval URI="/v1/cp/members/257425525/benefits/999F-20180101-20181231-MED/excluded" 
| rex field=URI "(?<capture1>\/(\w+\/){3})\d+\/(?<capture2>\w+)\/.*\/(?<capture3>\w+)"

This will work for up to the third iteration. If you need to keep capturing, you can keep adding to that regex...

0 Karma
Reply

mayurr98
Super Champion
‎01-15-2018 10:11 PM

hey

you can try this run anywhere search

| makeresults | eval URI="/v1/cp/members/257425525/benefits/999F-20180101-20181231-MED/excluded" | rex field=URI "(?<first>^\/[^\/]+\/[^\/]+\/[^\/]+)\/[^\/]+\/(?<second>\w+)"

In your environment, you should write

 <base_search> | rex field=URI "(?<first>^\/[^\/]+\/[^\/]+\/[^\/]+)\/[^\/]+\/(?<second>\w+)"

let me know if this helps!

0 Karma
Reply

karthi2809
Builder
‎01-15-2018 11:12 PM

Hi mayurr

Thanks for you valuable answer but i send sample URI .there is lot of URI like this how can we extract using mode=sed

0 Karma
Reply

mayurr98
Super Champion
‎01-15-2018 11:42 PM

try this!
If you want to capture say benefits and excluded in one event then try this!

 | rex field=URI max_match=0 "(MED|\d{2,})\/(?P<sec>\w+)"

OR
if you want in three different field then use this

| rex field=URI "(?<first>^\/[^\/]+\/[^\/]+\/[^\/]+)\/[^\/]+\/(?<second>\w+)\/.*\/(?<Third>\w+)"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...