Solved: Re: Feeding regex results of a query into another ...

crucifier_0 · ‎05-17-2022

My current Splunk regex query

10.66.189.62 -- -- -[17/May/2022:05:59:16--0400]--502- "POST /astra/sliceHTTP/1.1" req_len=1776-req_cont_len=117-req_cont_enc="-"-res_body_len=341 res_len=733 "https://ninepoint.blackrock.com/astra/". "Mozilla/5.0- (Macintosh; Intel-Mac-OS-X-10_15_7) -AppleWebKit/537.36-(KHTML,-Like-Gecko)
Chrome/10.0.4896.127 Safari/537.36" x_fw_for="-".req_time=278.326-ups_res_time=278.326 ups_con_time=0.011-ups_status=502-pipe=. -VNDRegID=undefined-

gives me;

POST /astra/sliceHTTP/1.1

I want to apply another query on the result of above query to get POST/astra/sliceHTTP/1.1 ,i.e

/astra

Is there a way or a better regex pattern which can provide me the following?

ITWhisperer · ‎05-17-2022

| rex field=_raw "\"\w*\s(?<url>\/[^\/]*)"

View solution in original post

ITWhisperer · ‎05-17-2022

What is your current regex?

Are you wanting to do this at indexing or search time?

Will the string always start with POST?

crucifier_0 · ‎05-17-2022

My current regex is

rex field=_raw \"\w*\s(?<url>.*?)\s.*\"

And it could start with POST or GET

Thank you

ITWhisperer · ‎05-17-2022

| rex field=_raw "\"\w*\s(?<url>\/[^\/]*)"

crucifier_0 · ‎05-18-2022

Thank you ITWhisperer, I was looking for the exact regex.

How to feed regex results of a query into another query?

eval

regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!