Solved: How to extract fields with differing lengths from ...

patelpin · ‎09-21-2016

Hello,

I am trying to pull certain criteria out of cs-uri-stem that contain different lengths for cs-uri-stem. I am trying to get one field extraction from all the examples.

Here are some examples of the cs_uri_stem entries:

/apps/orderalert/default.aspx
/netpub/ser.np
/apps/ajt/a2dsfile/files/dll/data.dll
/apps/ajt/SE3SPXWEBSERVICE/SpxSE3WebService.asmx
/aspnet_client/system_web/2_0_50727/Themes/Normal/images/sss_head_bg.gif

The goal is to get everything minus the last bit and the "/" at the beginning and end. I have highlighted what it is I want to get out of cs_uri_stem. If I need to post more from the log files I can.

apps/orderalert
netpub
apps/ajt/a2dsfile/files
apps/ajt/SE3SPXWEBSERVICE
aspnet_client/system_web/2_0_50727/Themes/Normal/images

sundareshr · ‎09-21-2016

Try this

base search | rex field=cs_uri_stem "\/(?<fld>.*)\/"

View solution in original post

sundareshr · ‎09-21-2016

Try this

base search | rex field=cs_uri_stem "\/(?<fld>.*)\/"

patelpin · ‎09-26-2016

This worked great, thanks. I was able to use "\/(?.*)\/ in cs_uri_stem" to make it work for me.

How to extract fields with differing lengths from cs-uri-stem entries?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

How to extract fields with differing lengths from cs-uri-stem entries?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability