I have data in Splunk Cloud which has a
version_id can be anything acceptable in a URL.
I'm trying to write a search that finds and creates a pie chart of the
:version_ids over the past 24 hours and past 7 days.
I've tried this search, but it's not returning the right results:
source=/var/log/mylog.log | rex field=path "/api/versions/(?.*)"
I get results that don't actually match the regex above.
Can anyone point me to some docs so I can get the right usage of the regex and create my dashboard?
Slashes must be escaped and your group is mal-formed. Try this:
... | rex field=path "\/api\/versions\/:(?<version_id>.*)"
Thanks for the info. I've adapted my string:
source=/var/log/my.log | rex field=path "\/api\/versions\/:(?.*)"
But it's still matching things like
Note: This box keeps striping out the < version_id >
Above does works for me and its not matching. See this runanywhere sample search
| gentimes start=-1 | eval path="/api/versions/:version_id /api/versions/api/sections/123/items/123 /api/versions/123/items/123 /api/versions/:version_id /api/sections/123/items/123" | table path | makemv path | mvexpand path | rex field=path "\/api\/versions\/:(?<version_id>.*)"
Can you post some sample values of field path, including the ones that are not working?
There's no way "/api/versions/:" can match "/api/sections/". Perhaps it would help if you shared (anonymized) sample data.
($.*) is not a valid regex construct. Use
You can change 'versionid' to any string you want to be the field name to hold matching version IDs.
Indent your code by 4 spaces to preserve backslashes and other formatting characters.