Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my regular expression to extract the URL from both of my sample log entries?

dbcase
Motivator
‎09-06-2016 01:14 PM

Hi,

I have these two entries in the same log. I'm try to extract out the URL in bold below

For the first one I have regex GET|POST\s(?<URL>[^\"]+) which works fine. But I can't figure out the second one and I'd like to have 1 regex to work with both

"beta.icontrol.com" 70.212.47.107 "70.212.47.107" - - [06/Sep/2016:09:39:12 -0500] "POST /rest/icontrol/sites/1000738/network/instances/121000738.1.0/functions/cameraAccessTerminated HTTP/1.1" 401 6 0 UCT-2058 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G36" "-"

"50.56.0.126" 89.248.167.131 "-" - - [06/Sep/2016:13:55:05 -0500] "GET /sitemap.xml HTTP/1.1" 404 209 0 UCT-1791 "-" "-" "-"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-06-2016 01:39 PM

Try this

.. | rex "(GET|POST)\s(?<url>[^\s]+)"

*OR*

... | rex "(GET|POST)\s(?<url>[^\"]+)"

The first one will exclude HTTP 1.1 the second will include it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-06-2016 01:39 PM

Try this

.. | rex "(GET|POST)\s(?<url>[^\s]+)"

*OR*

... | rex "(GET|POST)\s(?<url>[^\"]+)"

The first one will exclude HTTP 1.1 the second will include it.

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-06-2016 05:59 PM

Hi Sundareshr,

Well it works (of course). I have an additional follow on question. In my first rex expression I had get|post without () and it worked on one of the log entries but not the second one. Yours works on both. What does the () around get|post do that makes it work on both log entries?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-06-2016 06:04 PM

When you include them within parens, it treats it as a group. In your case, its looks for (GET) OR (POST followed by URL), what you need is (GET OR POST) followed by URL.

I use these two sites for my regex.

http://www.regular-expressions.info/tutorial.html
https://regex101.com/

Reply
Solved! Jump to solution

dbcase
Motivator
‎09-06-2016 06:08 PM

Ahhh, that helps! Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...