Solved: How to extract id from url message?

Span · ‎11-02-2022

Hi, I have below message and Iam trying to use rex to extract the id... But myid always shows empty.. Please help

- - [02/Nov/2022:17:43:03 -0400] "PUT /application/resources/cat/v7/product/1234567890003/status HTTP/1.1" 201 - abcd.com - 8 web-614

rex field=msg "/application/resources/cat/v7/product/(?<myid>[0-9]*)/status" | table myid

johnhuang · ‎11-02-2022

The sample data looks like _raw rather than msg.

You can try something like this which extracts any 13 digit number nested between forward slashes. This could be more flexible depending on the variability of your data.

| rex "\/(?<myid>\d{13})\/"
| table myid

View solution in original post

johnhuang · ‎11-02-2022

The sample data looks like _raw rather than msg.

You can try something like this which extracts any 13 digit number nested between forward slashes. This could be more flexible depending on the variability of your data.

| rex "\/(?<myid>\d{13})\/"
| table myid

richgalloway · ‎11-02-2022

Slashes in regular expressions must be escaped.

rex field=msg "\/application\/resources\/cat\/v7\/product\/(?<myid>[0-9]*)/status" | table myid

---
If this reply helps you, Karma would be appreciated.

How to extract id from url message?

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation