Solved: Re: Returning a url only to the 2nd slash?

isxtn · ‎08-04-2023

So, this PCRE regex works in testers, but not on Splunk.

^((http[s]?):\/)?\/?([^:\/\s]+)((\w+)*\/){2})

BUT in Splunk search, this:

rex field=referer "referer=(?<referer>^((http[s]?):\/)?\/?([^:\/\s]+)((\w+)*\/){2})

is returning the entire url, i.e., https://someurl.com/first/second/third/fourth/etc

What's the proper way to get what I'm looking for? Confused that this works in testers but not Splunk.

jotne · ‎08-04-2023

Just count 4 /

| makeresults 
| eval url="https://someurl.com/first/second/third/fourth/etc"
| rex field=url "(?<test>^(?:[^\/]*\/){4})"

isxtn · ‎08-04-2023

Thanks!

jotne · ‎08-04-2023

Just count 4 /

| makeresults 
| eval url="https://someurl.com/first/second/third/fourth/etc"
| rex field=url "(?<test>^(?:[^\/]*\/){4})"

How to return a url only to the 2nd slash?