Splunk Search

Regex assistance

ddrillic
Ultra Champion

We have a field such as - activity="POST->/cirrus/v1.0/providers"
We would like to extract everything after the POST->/cirrus/v1.0/ part.

What would be a way to do it?

Tags (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

This will pull that exact section out of a field called myfield and place it into a field called otherstuff

| rex field=myfield  "POST->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)" 

This will do that and also put the verb into a field called whatverb.

| rex field=myfield  "(?<whatverb>POST|DELETE|GET|PUT)->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)" 

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

This will pull that exact section out of a field called myfield and place it into a field called otherstuff

| rex field=myfield  "POST->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)" 

This will do that and also put the verb into a field called whatverb.

| rex field=myfield  "(?<whatverb>POST|DELETE|GET|PUT)->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)" 

ddrillic
Ultra Champion

Perfect!!!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

1) is "POST" the only verb you want it for? 2) are there always exactly three slashes in the part you don't want?

0 Karma

ddrillic
Ultra Champion

That's exactly it ; -)

0 Karma

ddrillic
Ultra Champion

Sorry sorry - | rex field=activity "POST->/cirrus/v1.0/(?<activity_clean>[a-z]+)" did it...

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

please accept your answer to close the question.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Ah, you meant that value within quotes was the value of the activity field.

I'd suggest changing that to one of the following -
| rex field=activity "POST->/cirrus/v1.0/(?.+)"
or
| rex field=activity "POST->/cirrus/v1.0/(?\w+)"

...since you probably can't be sure that it will always be only lower-case alpha characters. You also don't know when the cirrus version might change, so you might want to wildcard that as well. I tested this as below.

| makeresults | eval activity="POST->/cirrus/v1.0/providers"  
| rex field=activity  "POST->/cirrus/[^/]+/(?<activity_clean>.+)"

I was a little surprised the slashes didn't have to be escaped, although the code DID accept escaping them. Live and learn.

ddrillic
Ultra Champion

I was surprised also about the non-escaping ; -)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...