Solved: Re: Feeding regex results of a query into another ...

crucifier_0 · ‎05-17-2022

My current Splunk regex query

10.66.189.62 -- -- -[17/May/2022:05:59:16--0400]--502- "POST /astra/sliceHTTP/1.1" req_len=1776-req_cont_len=117-req_cont_enc="-"-res_body_len=341 res_len=733 "https://ninepoint.blackrock.com/astra/". "Mozilla/5.0- (Macintosh; Intel-Mac-OS-X-10_15_7) -AppleWebKit/537.36-(KHTML,-Like-Gecko)
Chrome/10.0.4896.127 Safari/537.36" x_fw_for="-".req_time=278.326-ups_res_time=278.326 ups_con_time=0.011-ups_status=502-pipe=. -VNDRegID=undefined-

gives me;

POST /astra/sliceHTTP/1.1

I want to apply another query on the result of above query to get POST/astra/sliceHTTP/1.1 ,i.e

/astra

Is there a way or a better regex pattern which can provide me the following?

ITWhisperer · ‎05-17-2022

| rex field=_raw "\"\w*\s(?<url>\/[^\/]*)"

View solution in original post

ITWhisperer · ‎05-17-2022

What is your current regex?

Are you wanting to do this at indexing or search time?

Will the string always start with POST?

crucifier_0 · ‎05-17-2022

My current regex is

rex field=_raw \"\w*\s(?<url>.*?)\s.*\"

And it could start with POST or GET

Thank you

ITWhisperer · ‎05-17-2022

| rex field=_raw "\"\w*\s(?<url>\/[^\/]*)"

crucifier_0 · ‎05-18-2022

Thank you ITWhisperer, I was looking for the exact regex.

How to feed regex results of a query into another query?

eval

regex

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform