Solved: How to extract a text from a field

nirmalya2006 · ‎07-15-2016

Hi All

I have a field which has urls in this pattern

GET /echo/index?page=content&id=PRO19579&viewlocale=es_ES HTTP/1.1  
GET /echo/index?page=relatedLinks&id=PRD1296&viewLocale=null&channel=REFERENCE&_=1454507716347 HTTP/1.1

I have to extract only the part between 'page' and '&' ie 'content' and 'relatedLinks' from it.
I tried to extract it using substr and rtrim but I am unable to trim contents after &.
My search string is

| eval URL = substr(field7,17) | eval URL = rtrim(URL,"^\\&.*")

After using substr my result is

page=content&id=PRO19579&viewlocale=es_ES HTTP/1.1
page=relatedLinks&id=PRD1296&viewLocale=null&channel=REFERENCE&_=1454507716347 HTTP/1.1

But the rtrim function is not at all working to remove the text with and after &.

Please help.

sundareshr · ‎07-15-2016

Use rex instead

... | rex "page=(?<page>[^&]+)" | table page

View solution in original post

sundareshr · ‎07-15-2016

Use rex instead

... | rex "page=(?<page>[^&]+)" | table page

How to extract a text from a field

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to extract a text from a field

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25