Splunk Search

How to exclude last 2 parts of the URL in Splunk?

bharath999
New Member

I have a URL as below

1.aa/bb/cc/dd

2.nbcn/hbd/hvhd/hbxn

 

Need to regular expression to get the below output

1.aa/bb

2.nbcn/hbd

Labels (2)
Tags (1)
0 Karma

somesoni2
Revered Legend

If you always want to exclude last 2 parts (regardless of how many segment your URL may have), try something like this

(?<shorturl>.+)\/[^\/]+\/[^\/]+$

 

In-line search

your search | rex "(?<shorturl>.+)\/[^\/]+\/[^\/]+$"

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

An alternative is to use mode=sed on the original URL field

| rex mod=sed field=url "s/(\/[^\/]+){2}$/"

 

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=url "^(?<shorturl>[^\/]+\/[^\/]+)"
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...