Solved: Regex for digits before .zip

jacqu3sy · ‎04-01-2020

Hi,

How do I write a regex to capture whenever I see any combination of 10 digits followed by .zip within a _raw event?

eg:

Thanks.

vnravikumar · ‎04-01-2020

Try like

| rex field=url "\/(?P<result>\d{10}.zip)"

woodcock · ‎04-01-2020

Like this:

... | rex field=url mode=sed "s/\.zip//"

vnravikumar · ‎04-01-2020

Try like

| rex field=url "\/(?P<result>\d{10}.zip)"

jacqu3sy · ‎04-01-2020

ah yeh, how would I capture the whole URL though in the new result field? rather than just the 6 digits?

vnravikumar · ‎04-01-2020

what is your expected result?

jacqu3sy · ‎04-01-2020

Expected result is the full URL listed, but to only pull back URL's that match the regex, i.e. 10 digits followed by .zip

vnravikumar · ‎04-01-2020

Check this rex (?P<result>url=\S+\/\d{10}.zip)

jacqu3sy · ‎04-01-2020

Perfect. Many thanks 🙂

kamlesh_vaghela · ‎04-01-2020

@jacqu3sy

Try this:

YOUR SEARCH | rex field=url "(?<data>\d.*).zip"

Sample

|makeresults | eval url="www.abcdef.com/1234532419.zip" | rex field=url "(?<data>\d.*).zip"

jacqu3sy · ‎04-01-2020

ah yeh, how would I capture the whole URL though in the new data field? rather than just the 6 digits?

Regex for digits before .zip