Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex for uri path

loadtest
New Member
‎03-11-2014 12:49 PM

Hi,

I'm having trouble extracting the uri_path of my log files.

Here's an example of a line in my log file

115.252.41.38 "65.165.121.16" - www.site.com [27/Feb/2014:23:29:59 -0500] "GET /images/focus/gallery/?zipCode=70006&distance=50 HTTP/1.1" 200 67362 1 esds036b.md5.site.com:9789 "-" "Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53"

I'm trying to extract out "/images/focus/gallery/" with a Regex, but am having difficulties in doing so. Any help is appreciated.

Tags (2)
0 Karma
Reply

ianathompson
Explorer
‎08-28-2014 01:44 AM

For the weblogs, I just used the inline field extractor with some small changes to extract the uriPath from the uri field that was imported from the AWS ELB logs I received. The main issue is some URIs have query fields (?key=value) and some do not. This has worked for me so far.

rex field=uri "(?i)^(?:[^/]*/){3}(?P<uriPath>[^(\?|\s)]+)"

If I make any more changes, I will update the rex.

Also you can check out the URL Parser app in the Splunk App Store. Just take note that it has errors in the code that have to be corrected. They are noted here.

0 Karma
Reply

lukejadamec
Super Champion
‎03-11-2014 12:59 PM

Try this:

search | regex "\s/[^ ]+/[^ ]+/[^ ]+/"

0 Karma
Reply

lukejadamec
Super Champion
‎03-11-2014 02:32 PM

You can try rex:

search | rex "^.*\s(?P<uri_path>/[^ ]+/[^ ]+/[^ ]+/)\S"

That should pull out a uri_path field that can be used for statistics or charting.

0 Karma
Reply

loadtest
New Member
‎03-11-2014 01:10 PM

How would I extract the path out to a variable to chart it? For example the top used paths using "top limit=2 uri_path"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...