Solved: How to extract fields with differing lengths from ...

patelpin · ‎09-21-2016

Hello,

I am trying to pull certain criteria out of cs-uri-stem that contain different lengths for cs-uri-stem. I am trying to get one field extraction from all the examples.

Here are some examples of the cs_uri_stem entries:

/apps/orderalert/default.aspx
/netpub/ser.np
/apps/ajt/a2dsfile/files/dll/data.dll
/apps/ajt/SE3SPXWEBSERVICE/SpxSE3WebService.asmx
/aspnet_client/system_web/2_0_50727/Themes/Normal/images/sss_head_bg.gif

The goal is to get everything minus the last bit and the "/" at the beginning and end. I have highlighted what it is I want to get out of cs_uri_stem. If I need to post more from the log files I can.

apps/orderalert
netpub
apps/ajt/a2dsfile/files
apps/ajt/SE3SPXWEBSERVICE
aspnet_client/system_web/2_0_50727/Themes/Normal/images

sundareshr · ‎09-21-2016

Try this

base search | rex field=cs_uri_stem "\/(?<fld>.*)\/"

View solution in original post

sundareshr · ‎09-21-2016

Try this

base search | rex field=cs_uri_stem "\/(?<fld>.*)\/"

patelpin · ‎09-26-2016

This worked great, thanks. I was able to use "\/(?.*)\/ in cs_uri_stem" to make it work for me.

How to extract fields with differing lengths from cs-uri-stem entries?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to extract fields with differing lengths from cs-uri-stem entries?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25