Splunk Search

How to do a regex for break an url after the fourth slash?

jip31
Motivator

hello

I try to do a regex for break an url after the fourth slash

https://xxxx/yyyy/test

could you help please?

Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, the double slash was messing with the result. Try this

| eval updated=replace(url,"(?<part1>\w+:\/\/[^\/]*\/[^\/]*)(?<rest>.*)","\1
\2")

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It seems that the way you have phrased your question does not make it clear what it is you are trying to achieve - please can you give examples of the desired output so we might better be able to guide you to a solution?

0 Karma

gcusello
Legend

Hi @jip31,

please try something like this:

your_search
| rex "^(https|http):(?<url>\/\/\w+\/\w+\/)"

that you can test at https://regex101.com/r/4kTIF3/1

Ciao.

Giuseppe

0 Karma

jip31
Motivator

Hi

It's not my need

My need is dont to match the fourfth / but to break the URL after the fourfth / into a single line

0 Karma

gcusello
Legend

Hi @jip31,

my regex puts in the url field the url until the fourth slash, or, if you prefer, the second section of it.

If you want in the reduced url also http or https, you could use this:

your_search
| rex "^(?<url>(https|http):\/\/\w+\/\w+\/)"

Ciao.

Giuseppe

0 Karma

jip31
Motivator

it doesnt works

0 Karma

gcusello
Legend

Hi @jip31,

the regex works on regex101.com: https://regex101.com/r/4kTIF3/2

could you share a sample of your logs?

Ciao.

Giuseppe

0 Karma

etoombs
Path Finder

Depending on what you need, there may be other ways to accomplish this. Are you just trying to capture the final value, or would it always be after the 4th / even if there were more after it?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would have helped to know what you'd tried before so we wouldn't suggest the same expressions.

Have you tried (?<field1>(?:.*?\/){4})(?<field2>.*) ?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

jip31
Motivator

thanks it works but I would like to do the break in the same line, actually it's done on 2 lines

is it possible?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please explain what you mean by this, perhaps with some sample events and what your desired output would be?

0 Karma

jip31
Motivator

If the URL is https://xxxx/yyyy/test, I need to display

https://xxxx/yyyy

/test

in the same line

0 Karma

gcusello
Legend

Hi @jip31,

let me understand, you want two fields from your url:

if this is your need, please try this:

your_search
| rex "^(?<url1>(https|http):\/\/\w+\/\w+)(?<url2>\/[^ ]+)"

if the url in another extracted field (called e.g. original_url), you could use:

your_search
| rex field=original_url "^(?<url1>(https|http):\/\/\w+\/\w+)(?<url2>\/[^ ]+)"

you can test the new regex at https://regex101.com/r/4kTIF3/3

Ciao.

Giuseppe

0 Karma

jip31
Motivator

always not good...

it breaks anything

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval url=replace(url,"(?<part1>\w+:(\/.*){4})(?<rest>.*)","\1
\2")
0 Karma

jip31
Motivator

it sounds like this but when I say that I want to cut after the fourfth /,  the double / after https have to be taken into account

so in my example, the cut has to be done just before / test

and other point, /test has to be cut and paste and not copy and paste

https://xxxx/yyyy/test

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, the double slash was messing with the result. Try this

| eval updated=replace(url,"(?<part1>\w+:\/\/[^\/]*\/[^\/]*)(?<rest>.*)","\1
\2")
0 Karma

jip31
Motivator

perfect ITWhisperer, many thanks

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...