Solved: How to extract a content or string between 2 strin...

sekhar463 · ‎06-14-2022

AL9851 | Z1 | [https://example1.com/] recording played asia location is Down

AL9851 | Z1 | [http://alphabeta/] recording played from asia location is Down

AL9851 | Z1 | [http://alphabeta/] recording played from US location is Down

i have above log from that need to extract URL .as URL varies but content is same before and after URL .

gcusello · ‎06-15-2022

the phrase from @bowesmana means that using the rex command you can extract a field from the entire raw log (without specifying any field) as in your case, or specifying a field.

Ciao.

Giuseppe

View solution in original post

sekhar463 · ‎06-15-2022

thanks it works

but is both rex works as same

| rex "^([^\|]+\|\s+){2}\[(?<URL>[^\]]+)\]"

| rex "\[(?<url>http[^\]]*)\]"

sekhar463 · ‎06-15-2022

Thanks it works

but what is it means parsing _raw field

gcusello · ‎06-15-2022

Hi @sekhar463

the phrase from @bowesmana means that using the rex command you can extract a field from the entire raw log (without specifying any field) as in your case, or specifying a field.

Ciao.

Giuseppe

sekhar463 · ‎06-15-2022

Thank you

gcusello · ‎06-15-2022

Hi @sekhar463,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello · ‎06-14-2022

@sekhar463,

you could try this:

| rex "^([^\|]+\|\s+){2}\[(?<URL>[^\]]+)\]"

that you can test at https://regex101.com/r/2HDtmM/1

Ciao.

Giuseppe

sekhar463 · ‎06-15-2022

thanks

that works

bowesmana · ‎06-14-2022

Use

| rex "\[(?<url>http[^\]]*)\]"

assuming you are parsing _raw field

I am assuming your example has 3 rows with 3 urls. The field name extracted above will be url

How to extract a content or string between 2 strings

field extraction

regex

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!