Below is the string I need to extract ROM_RAMESH from and similarly there are multiple client info so I need a regular expression and I am very new to that.
I used the extract field but can't get what I need ...
21.432.632.53 - - [14/Jan/2015:13:23:57 -0500] "GET /ROM_RAMESH/images/bg.gif HTTP/1.1" 200 64 - 38E8352722F7ADE88844A3B026752BCC.bgitcostumen1 - - https://cbsplake.boysdtom.com/ROM_RAMESH/BrandHistory.do -
When I use this:
index="cc_web" sourcetype= * | rex field=_raw "(?i)^(?:[^\-]*\-){6}\s+(?P.+?)\w+\.\w+\s+" | top limit=100 Clients
I get only this as a result
https://cbsplake.boysdtom.com/ROM_RAMESH/
I need
ROM_RAMESH
If your input is having the built-in httpd access transforms applied, you should have access to the uri_path field and this should work and give you a field called field1:
[your search]| rex field=uri_path "^/(?<field1>[^/]*)/"
If you are not using the access log transforms with this sourcetype then the following should also work for GET and POST requests:
[your search] | rex field=_raw "(GET|POST)\s/(?<field1>[^/]*)/"