We have a field such as - activity="POST->/cirrus/v1.0/providers"
We would like to extract everything after the POST->/cirrus/v1.0/
part.
What would be a way to do it?
This will pull that exact section out of a field called myfield and place it into a field called otherstuff
| rex field=myfield "POST->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)"
This will do that and also put the verb into a field called whatverb.
| rex field=myfield "(?<whatverb>POST|DELETE|GET|PUT)->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)"
This will pull that exact section out of a field called myfield and place it into a field called otherstuff
| rex field=myfield "POST->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)"
This will do that and also put the verb into a field called whatverb.
| rex field=myfield "(?<whatverb>POST|DELETE|GET|PUT)->\/[^\/]+\/[^\/]+\/(?<otherstuff>[^\"]+)"
Perfect!!!
1) is "POST" the only verb you want it for? 2) are there always exactly three slashes in the part you don't want?
That's exactly it ; -)
Sorry sorry - | rex field=activity "POST->/cirrus/v1.0/(?<activity_clean>[a-z]+)"
did it...
please accept your answer to close the question.
Ah, you meant that value within quotes was the value of the activity field.
I'd suggest changing that to one of the following -
| rex field=activity "POST->/cirrus/v1.0/(?
or
| rex field=activity "POST->/cirrus/v1.0/(?
...since you probably can't be sure that it will always be only lower-case alpha characters. You also don't know when the cirrus version might change, so you might want to wildcard that as well. I tested this as below.
| makeresults | eval activity="POST->/cirrus/v1.0/providers"
| rex field=activity "POST->/cirrus/[^/]+/(?<activity_clean>.+)"
I was a little surprised the slashes didn't have to be escaped, although the code DID accept escaping them. Live and learn.
I was surprised also about the non-escaping ; -)