Splunk Search

I want to extract information from this field within these specific parameters using a rex command

New Member

Hi Splunker,

I wanted to use a rex command until Splunk can find below parameter in logs:
1) ?
2) sag
3) If both of the options are not there then full statement until the end to be extracted.

My Logs look like this. Any one of the example can come in my logs

Ex-1 "POST /services/api/cumulativeLogo?trespassxyz (I want data to be rexed as POST /services/api/cumulativeLogo)
Ex-2 "POST /services/api/cumulativeLogosag (data to be looked as POST /services/api/cumulativeLogo)
Ex-3 "POST /services/api/cumulativeLogosamplefull.lopend.parameter (data to be rexed as POST /services/api/cumulativeLogosamplefull.lopend.parameter )

Thanks in advance

0 Karma


try this,

| makeresults | eval tst="POST /services/api/cumulativeLogo?trespassxyz#POST /services/api/cumulativeLogosag#POST /services/api/cumulativeLogosamplefull.lopend.parameter" | eval tst=split(tst,"#") | mvexpand tst | rex field=tst "(?<exValue>\S+.*)(\?|sag|$)"

0 Karma


Try this

your base search  | rex "\"(?<URI>.+)(\?|sag|$)"

See it working with sample data here: https://regex101.com/r/ApNEXM/1