Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a string located between two backslashes in a field?

marktechuk
New Member
‎11-15-2016 08:46 AM

Hi guys I'm new to Splunk 🙂

A search I created returns the following in a specific field: /Erginn008/3e2ce24a277ggh9/e709d1a.json

I'm looking to extract the Erginn008 between the first 2 backslashes?

Any help appreciated thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-18-2016 04:12 PM

Try this

sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path=* | rex field=cs_uri_path "\/(?<path>[^\/]+?)\/" |

View solution in original post

Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎11-29-2016 08:20 PM

@marktechuk - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-18-2016 04:12 PM

Try this

sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path=* | rex field=cs_uri_path "\/(?<path>[^\/]+?)\/" |
Reply
Solved! Jump to solution

niketn
Legend
‎11-18-2016 01:31 PM

If following is your data you can use split and mvindex commands in conjunction to split based on backslash and then read first value:
fieldName="/Erginn008/3e2ce24a277ggh9/e709d1a.json"

Your Base Search Here | eval SplitFields=split(fieldName,"/") | eval firstField=mvindex(SplitFields,1)| table fieldName, SplitFields, firstField

As split command splits fieldName to multivalue field SplitFields, you need to call mvindex command to fetch the first value.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2016 08:59 AM

You can do it at search time using rex.

... | rex field=myField "\/(?<newField>[^\/]+)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

marktechuk
New Member
‎11-15-2016 09:12 AM

Thanks Rich, Tried this but getting an error

sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path="*" |rex cs_uri_path="*" "\/(?[^\/]+)" |
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2016 02:25 PM

rex doesn't make assignments. The 'field' keyword is literally "field"; replace 'myField' with the name of the field you want to extract from. So your query becomes

sourcetype=proxy github.com cs_uri_path!=/ cs_uri_path="*" |rex field=cs_uri_path "*" "\/(?<newField>[^\/]+)" |
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...