Solved: How to edit my regular expression to extract URI f...

xxdesmus · ‎01-22-2017

Hey folks, sorry for asking this type of regex question yet again.

I have values like this in a field called "url":

http://8.8.8.8/file.sh
http://1.1.1.1/file2.sh
http://8.8.4.4/file3.sh

I'm trying to use rex to grab just the URI following the last " / " so I end up with a list like this:

file.sh
file2.sh
file3.sh

I was trying to accomplish this using source=cowrie url=* | rex field=uri "\/(?<url>\w+)\s" | table uri but I'm 99% sure my regular expression is wrong.

Any help would be greatly appreciated!

somesoni2 · ‎01-22-2017

Give these a try (remove head command after testing)

source=cowrie url=* | head 100 | table url| rex field=url "\/(?<uri>\w+\.\w+)$"

OR

source=cowrie url=* | head 100 | table url| rex field=url "^\w+:\/\/[^\/]+\/(?<uri>.+)$"

View solution in original post

somesoni2 · ‎01-22-2017

Give these a try (remove head command after testing)

source=cowrie url=* | head 100 | table url| rex field=url "\/(?<uri>\w+\.\w+)$"

OR

source=cowrie url=* | head 100 | table url| rex field=url "^\w+:\/\/[^\/]+\/(?<uri>.+)$"

xxdesmus · ‎01-22-2017

You are a genius. Thanks!

How to edit my regular expression to extract URI from URL?

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?

How to edit my regular expression to extract URI from URL?

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!