Solved: How to extract fields with differing lengths from ...

patelpin · ‎09-21-2016

Hello,

I am trying to pull certain criteria out of cs-uri-stem that contain different lengths for cs-uri-stem. I am trying to get one field extraction from all the examples.

Here are some examples of the cs_uri_stem entries:

/apps/orderalert/default.aspx
/netpub/ser.np
/apps/ajt/a2dsfile/files/dll/data.dll
/apps/ajt/SE3SPXWEBSERVICE/SpxSE3WebService.asmx
/aspnet_client/system_web/2_0_50727/Themes/Normal/images/sss_head_bg.gif

The goal is to get everything minus the last bit and the "/" at the beginning and end. I have highlighted what it is I want to get out of cs_uri_stem. If I need to post more from the log files I can.

apps/orderalert
netpub
apps/ajt/a2dsfile/files
apps/ajt/SE3SPXWEBSERVICE
aspnet_client/system_web/2_0_50727/Themes/Normal/images

sundareshr · ‎09-21-2016

Try this

base search | rex field=cs_uri_stem "\/(?<fld>.*)\/"

View solution in original post

sundareshr · ‎09-21-2016

Try this

base search | rex field=cs_uri_stem "\/(?<fld>.*)\/"

patelpin · ‎09-26-2016

This worked great, thanks. I was able to use "\/(?.*)\/ in cs_uri_stem" to make it work for me.

How to extract fields with differing lengths from cs-uri-stem entries?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation