Splunk Search

How to extract a string located between two backslashes in a field?

New Member

Hi guys I'm new to Splunk 🙂

A search I created returns the following in a specific field: /Erginn008/3e2ce24a277ggh9/e709d1a.json

I'm looking to extract the Erginn008 between the first 2 backslashes?

Any help appreciated thanks.

0 Karma
1 Solution

Legend

Try this

sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path=* | rex field=cs_uri_path "\/(?<path>[^\/]+?)\/" |

View solution in original post

Splunk Employee
Splunk Employee

@marktechuk - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks.

0 Karma

Legend

Try this

sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path=* | rex field=cs_uri_path "\/(?<path>[^\/]+?)\/" |

View solution in original post

SplunkTrust
SplunkTrust

If following is your data you can use split and mvindex commands in conjunction to split based on backslash and then read first value:
fieldName="/Erginn008/3e2ce24a277ggh9/e709d1a.json"

Your Base Search Here | eval SplitFields=split(fieldName,"/") | eval firstField=mvindex(SplitFields,1)| table fieldName, SplitFields, firstField

As split command splits fieldName to multivalue field SplitFields, you need to call mvindex command to fetch the first value.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

You can do it at search time using rex.

... | rex field=myField "\/(?<newField>[^\/]+)" | ...
---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Thanks Rich, Tried this but getting an error

sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path="*" |rex cs_uri_path="*" "\/(?[^\/]+)" |
0 Karma

SplunkTrust
SplunkTrust

rex doesn't make assignments. The 'field' keyword is literally "field"; replace 'myField' with the name of the field you want to extract from. So your query becomes

sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path="*" |rex field=cs_uri_path "*" "\/(?<newField>[^\/]+)" |
---
If this reply helps you, an upvote would be appreciated.
0 Karma