Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fetch the second last word of a sentence with the Splunk regex?

riginoommen
Explorer
‎02-23-2022 11:48 AM

My query is:

 

Mozilla/5.0 (X11; Linux x86_64; Catchpoint) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

 

I want to extract the following word from the above sting with regex can you please help me.

 

Chrome/87.0.4280.88

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-23-2022 12:15 PM

Try like this (replace everything before "rex" command with your search)

|makeresults | eval _raw="Mozilla/5.0 (X11; Linux x86_64; Catchpoint) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" | table _raw 
| rex "\s+(?<SecondLastPart>\S+)\s+\S+$"

  

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-23-2022 12:15 PM

Try like this (replace everything before "rex" command with your search)

|makeresults | eval _raw="Mozilla/5.0 (X11; Linux x86_64; Catchpoint) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" | table _raw 
| rex "\s+(?<SecondLastPart>\S+)\s+\S+$"

  

Reply
Solved! Jump to solution

riginoommen
Explorer
‎02-23-2022 12:31 PM

This fetched the data as expected but its not taking the filtered data from past output

0 Karma
Reply
Solved! Jump to solution

riginoommen
Explorer
‎02-23-2022 11:55 AM

Can you please see the updated question

0 Karma
Reply
Solved! Jump to solution

Stefanie
Builder
‎02-23-2022 12:56 PM

Sure

Try this one?

 

\s\S+\/\S+\s(?!\()
0 Karma
Reply
Solved! Jump to solution

Stefanie
Builder
‎02-23-2022 11:52 AM

Hi!

Try this Regex.

 

\b(\S+)$
Reply
Solved! Jump to solution

riginoommen
Explorer
‎02-23-2022 11:59 AM

How to use the regex with the rex tag

\b(\S+)$
can you please help me
 
0 Karma
Reply
Solved! Jump to solution

riginoommen
Explorer
‎02-23-2022 11:57 AM

Can you please see the updated question with the answer and I am trying to accommodate with the res. it will be super awesome if you share the full url

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...