- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my regular expression to extract t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have these two entries in the same log. I'm try to extract out the URL in bold below
For the first one I have regex GET|POST\s(?<URL>[^\"]+) which works fine. But I can't figure out the second one and I'd like to have 1 regex to work with both
"beta.icontrol.com" 70.212.47.107 "70.212.47.107" - - [06/Sep/2016:09:39:12 -0500] "POST /rest/icontrol/sites/1000738/network/instances/121000738.1.0/functions/cameraAccessTerminated HTTP/1.1" 401 6 0 UCT-2058 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G36" "-"
"50.56.0.126" 89.248.167.131 "-" - - [06/Sep/2016:13:55:05 -0500] "GET /sitemap.xml HTTP/1.1" 404 209 0 UCT-1791 "-" "-" "-"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
.. | rex "(GET|POST)\s(?<url>[^\s]+)"
*OR*
... | rex "(GET|POST)\s(?<url>[^\"]+)"
The first one will exclude HTTP 1.1 the second will include it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
.. | rex "(GET|POST)\s(?<url>[^\s]+)"
*OR*
... | rex "(GET|POST)\s(?<url>[^\"]+)"
The first one will exclude HTTP 1.1 the second will include it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sundareshr,
Well it works (of course). I have an additional follow on question. In my first rex expression I had get|post without () and it worked on one of the log entries but not the second one. Yours works on both. What does the () around get|post do that makes it work on both log entries?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you include them within parens, it treats it as a group. In your case, its looks for (GET) OR (POST followed by URL), what you need is (GET OR POST) followed by URL.
I use these two sites for my regex.
http://www.regular-expressions.info/tutorial.html
https://regex101.com/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahhh, that helps! Thank you!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
