Hi gcusello,

| rex "\/(connections|groups|services|processors)\/(?<Request_URL>\w*)"

I can follow this but can you guide me I need to extract id from Request URL and need to put it one column (like id1 or something any name) which only  only contain id part of Request_URL .

Currently by this changes 

| rex "\/(connections|groups|services|processors)\/(?<Request_URL>\w*)"

Its making the change directly in request URL . I need both REQUEST_URL which will contain complete URL and other is id which only contain id from Request_URL.

Can you provide me the regex for that?

Can you please suggest me on this ASAP as its urgently required

Hi gcusello,

| rex "\/(connections|groups|services|processors)\/(?<Request_URL>\w*)"

I can follow this but can you guide me I need to extract id from Request URL and need to put it one column (like id1 or something any name) which only  only contain id part of Request_URL .

Currently by this changes 

| rex "\/(connections|groups|services|processors)\/(?<Request_URL>\w*)"

Its making the change directly in request URL . I need both REQUEST_URL ehich will contain complete URL and other is id which only contain id from Request_URL.

Can you provide me the regex for that?

Hi gcusello

I cant hardcoded the words like this as there are mutiple URL's .These are some examples I have given.

 rex "\/(connections|groups|services|processors)\/(?<Request_URL>\w*)"

Previously I only have this URL

 https://xyz/api/groups/230df08c/registry.

So I tried like this and it works .It was creating one new column process and fetching "230df08c" part in the process column. that is (ID).

 | rex field=Request_URL "groups\/(?<process>[^\/]+)"

Can you please guide me how can I do this now .

It looks like you have a dynamic string to regex.

See this post - 

https://community.splunk.com/t5/Splunk-Search/Regex-for-dynamic-string/m-p/183009/highlight/true#M52... 

Hi,

My URL's are  not dynamic.

But I dont want to put all the words that will come before id 

https://xyz/api/connections/c1d30603ddf0

https://tyu/api/services/968d06b5666b

https://hju/api/processors/b5f990b529f4/run-status 

I tried by putting this:

rex field=Request_URL "\/(controller|process-groups|connections|processors)\/(?<process>[^\/]+)"

Then only URl's related to these 4 words are coming . Other Url's like(shown below) are not coming.

I want all data should be displayed but URL's which contains id part"b5f990b529f4" like this

I want to extract id part "b5f990b529f4" from the URL's which contain ID's. Should I need multiple regex or any number number regex we can use.

Please guide me on that.

If you check the link i provided it reads - 

The easiest solution is probably to rewrite the events with SEDCMD in props.conf on your indexer (or Heavy Forwarder);

[your sourcetype]
SEDCMD-blah = s/(\w+\.exe=\d{4,})/m_\1/g
As you can see, there are some assumptions here;
1) that all the stuff you want to rename ends in .exe
2) that they have at least a 4-digit value (i.e. greater than 1000)
3) that the binaries (i.e. field names) can contain only certain characters.

Adjust these things to suit your actual environment. Please note that this will actually change the events before the are written to disk, so if your'e not allowed to tamper with the data, this might not be the way to go.

I agree with that approach , your could try rewriting your events in the header  

Can please someone guide me on that part. Its really required.