Hi,
I have the below urls. How can I use the regex to remove the tokens from urls? Looking to remove data between /interactions/ and result_data.
sample:
https://test.com:443/test11/interactions/000e433c-a27-344347f-drfere/result_data
output needed:
Similar to what sduff wrote but more generalized to just remove everything between the last slashes (/)
| rex field=url "(?<part1>.+\/).+\/(?<part2>.+)"
| eval url=part1+part2
Like this:
... rex field=url mode=sed "s%/interactions/.*/result_data%/interactions/result_data%"
Similar to what sduff wrote but more generalized to just remove everything between the last slashes (/)
| rex field=url "(?<part1>.+\/).+\/(?<part2>.+)"
| eval url=part1+part2
Are you looking to replace this as search time?
rex field=url "^(?<part1>.*/interactions)/.*/(?<part2>result_data)$" | eval url=part1."/".part2
If you are looking to do this at index time, you will need to use SEDCMD
or transforms to replace the token (https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Anonymizedata ).
In props.conf,
SEDCMD-remove_tokens = s/interactions\/.*\/result-data/interactions\/result-data