Solved: Re: Error parsing URL in Splunk

Badab · ‎04-28-2023

Hello,

I'm trying to parse URLs in Java logs (*.trace), it works for complete URL with this following request :

index=os_win_wks sourcetype="os_win_wks:java:trace"
| rex field=_raw (?<URL>https?:\/\/\S+)

but I want to stop to the first "/" with this one, then I have an error message :

index=os_win_wks sourcetype="os_win_wks:java:trace"
| rex (?<url>https?:\/\\[^:\/]+)

Error => Error in 'SearchParser': Missing a search command before '^'. Error at position '75' of search query 'search index=* sourcetype="os_win_wks:java:trace" ...{snipped} {errorcontext = tps?:\/\\[^:\/]+)}'.

Could you help me please ?

javiergn · ‎04-28-2023

Hi @Badab , I think there is a typo as you did not escape a forward slash but a backslash.

It should be like:

| rex "(?<url>https?:\/\/[^:\/]+)"

I've tested it and it seems to do what you are asking:

Regards,

J

View solution in original post

javiergn · ‎04-28-2023

Hi @Badab , I think there is a typo as you did not escape a forward slash but a backslash.

It should be like:

| rex "(?<url>https?:\/\/[^:\/]+)"

I've tested it and it seems to do what you are asking:

Regards,

J

Badab_one · ‎05-02-2023

It works, thank you !

How to solve Error parsing URL in Splunk?

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation