Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

lanceblais
Explorer
‎04-16-2015 07:57 AM

Hello,

I have data in Splunk Cloud which has a path=/api/versions/:version_id where version_id can be anything acceptable in a URL.

I'm trying to write a search that finds and creates a pie chart of the :version_ids over the past 24 hours and past 7 days.

I've tried this search, but it's not returning the right results: 

source=/var/log/mylog.log | rex field=path "/api/versions/(?.*)"

I get results that don't actually match the regex above.

Can anyone point me to some docs so I can get the right usage of the regex and create my dashboard?

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-16-2015 08:19 AM

Slashes must be escaped and your group is mal-formed. Try this:

... | rex field=path "\/api\/versions\/:(?<version_id>.*)"
---
If this reply helps you, Karma would be appreciated.
Reply

lanceblais
Explorer
‎04-16-2015 10:33 AM

Thanks for the info. I've adapted my string:

source=/var/log/my.log | rex field=path "\/api\/versions\/:(?.*)"

But it's still matching things like /api/sections/123/items/123

Any ideas?

Note: This box keeps striping out the < version_id >

0 Karma
Reply

somesoni2
Revered Legend
‎04-16-2015 10:45 AM

Above does works for me and its not matching. See this runanywhere sample search

| gentimes start=-1 | eval path="/api/versions/:version_id /api/versions/api/sections/123/items/123 /api/versions/123/items/123 /api/versions/:version_id /api/sections/123/items/123" | table path | makemv path | mvexpand path | rex field=path "\/api\/versions\/:(?<version_id>.*)"

Can you post some sample values of field path, including the ones that are not working?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-16-2015 10:44 AM

There's no way "/api/versions/:" can match "/api/sections/". Perhaps it would help if you shared (anonymized) sample data.

($.*) is not a valid regex construct. Use
(?<version_id>.*).

You can change 'version_id' to any string you want to be the field name to hold matching version IDs.

Indent your code by 4 spaces to preserve backslashes and other formatting characters.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...