Regex question

xvxt006 · ‎10-27-2013

Hi,

we have 2 uri patterns as shown below

/search?searchQuery=4gmw4 (the end part is always single word which is alpha numeric)
/search?searchQuery=Snatch+Blocks++%281%2F2+to+2+ton%29 (in this end part can have spaces, multiple words, etc).

for the first one i tried this and did not work.
| regex uri="(?=/search\?searchQuery=\w+$)"

2nd one no clue. Any suggestions would help.

_d_ · ‎10-27-2013

You can try using a regex that captures anything that follows the equal sign, that is not an equal sign.

| regex uri="(searchQuery=[^=]*$)"

amarsaroj · ‎10-27-2013

adding to above answer:

If you want to capture the 2 uri patterns separately, then use

| regex uri="(searchQuery=[^+=]$)"
and
| regex uri="(searchQuery=[^=]+[^=]$)"

assuming '+' does not appears in first uri type and is always present in 2nd uri type.

xvxt006 · ‎10-27-2013

i think when i add backslash it is somehow skipping that in the portal. So there is backslash next to w

xvxt006 · ‎10-27-2013

Actually the below expression did work out for me for the first uri pattern.
| regex (uri="searchQuery=\w{5}" i want to get only 2nd pattern but not the 1st one..

so i tried this but giving me syntax error. Can someone help with this?

regex (uri="searchQuery=\w+" AND regex (uri!="searchQuery=\w{5}")

Regex question

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!