Solved: How to extract id from url message?

Span · ‎11-02-2022

Hi, I have below message and Iam trying to use rex to extract the id... But myid always shows empty.. Please help

- - [02/Nov/2022:17:43:03 -0400] "PUT /application/resources/cat/v7/product/1234567890003/status HTTP/1.1" 201 - abcd.com - 8 web-614

rex field=msg "/application/resources/cat/v7/product/(?<myid>[0-9]*)/status" | table myid

johnhuang · ‎11-02-2022

The sample data looks like _raw rather than msg.

You can try something like this which extracts any 13 digit number nested between forward slashes. This could be more flexible depending on the variability of your data.

| rex "\/(?<myid>\d{13})\/"
| table myid

View solution in original post

johnhuang · ‎11-02-2022

The sample data looks like _raw rather than msg.

You can try something like this which extracts any 13 digit number nested between forward slashes. This could be more flexible depending on the variability of your data.

| rex "\/(?<myid>\d{13})\/"
| table myid

richgalloway · ‎11-02-2022

Slashes in regular expressions must be escaped.

rex field=msg "\/application\/resources\/cat\/v7\/product\/(?<myid>[0-9]*)/status" | table myid

---
If this reply helps you, Karma would be appreciated.

How to extract id from url message?

rex

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud