Splunk Search

How to use regex to replace string?

knalla
Path Finder

Hi,

I have the below urls. How can I use the regex to remove the tokens from urls? Looking to remove data between /interactions/ and result_data.

sample:
https://test.com:443/test11/interactions/000e433c-a27-344347f-drfere/result_data

output needed:

https://test.com:443/test11/interactions/result_data

Tags (2)
0 Karma
1 Solution

burwell
SplunkTrust
SplunkTrust

Similar to what sduff wrote but more generalized to just remove everything between the last slashes (/)

| rex field=url "(?<part1>.+\/).+\/(?<part2>.+)"
| eval url=part1+part2

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

... rex field=url mode=sed "s%/interactions/.*/result_data%/interactions/result_data%"

burwell
SplunkTrust
SplunkTrust

Similar to what sduff wrote but more generalized to just remove everything between the last slashes (/)

| rex field=url "(?<part1>.+\/).+\/(?<part2>.+)"
| eval url=part1+part2
0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Are you looking to replace this as search time?

rex field=url "^(?<part1>.*/interactions)/.*/(?<part2>result_data)$" | eval url=part1."/".part2

If you are looking to do this at index time, you will need to use SEDCMD or transforms to replace the token (https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Anonymizedata ).
In props.conf,

SEDCMD-remove_tokens = s/interactions\/.*\/result-data/interactions\/result-data
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...