Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex assistance

ddrillic
Ultra Champion
‎02-20-2017 09:36 AM

We have a field such as - activity="POST->/cirrus/v1.0/providers"
We would like to extract everything after the POST->/cirrus/v1.0/ part.

What would be a way to do it?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-20-2017 10:07 AM

This will pull that exact section out of a field called myfield and place it into a field called otherstuff

| rex field=myfield  "POST->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)"

This will do that and also put the verb into a field called whatverb.

| rex field=myfield  "(?<whatverb>POST|DELETE|GET|PUT)->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-20-2017 10:07 AM

This will pull that exact section out of a field called myfield and place it into a field called otherstuff

| rex field=myfield  "POST->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)"

This will do that and also put the verb into a field called whatverb.

| rex field=myfield  "(?<whatverb>POST|DELETE|GET|PUT)->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)"
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-20-2017 11:29 AM

Perfect!!!

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-20-2017 10:00 AM

1) is "POST" the only verb you want it for? 2) are there always exactly three slashes in the part you don't want?

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-20-2017 10:03 AM

That's exactly it ; -)

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-20-2017 09:50 AM

Sorry sorry - | rex field=activity "POST->/cirrus/v1.0/(?<activity_clean>[a-z]+)" did it...

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-20-2017 11:40 AM

please accept your answer to close the question.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-20-2017 11:40 AM

Ah, you meant that value within quotes was the value of the activity field.

I'd suggest changing that to one of the following -
| rex field=activity "POST->/cirrus/v1.0/(?.+)"
or
| rex field=activity "POST->/cirrus/v1.0/(?\w+)"

...since you probably can't be sure that it will always be only lower-case alpha characters. You also don't know when the cirrus version might change, so you might want to wildcard that as well. I tested this as below.

| makeresults | eval activity="POST->/cirrus/v1.0/providers"  
| rex field=activity  "POST->/cirrus/[^/]+/(?<activity_clean>.+)"

I was a little surprised the slashes didn't have to be escaped, although the code DID accept escaping them. Live and learn.

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-20-2017 11:41 AM

I was surprised also about the non-escaping ; -)

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...