Solved: Regex to capture uris with a particular word

xvxt006 · ‎09-09-2013

I am looking for regex to capture all the URIs which includes "chaser" (case insensitive).

I have used this

<base search> | regex uri="(?i)Chaser(?:[^\"])"

but did not get any results. do i need to include anything in the regex? Thanks for your help.

Below are few event samples:

/gdfgfd/N-/Ntt-MILWAUKEEFUEL?pm_sp=CS_Chaser--PO_L3_Multi--werwerdfg
/CHASER-STAKES-rOutdoor-brother-Retractable-6trJ3?we_sp=IO--PDI--RR_VTV70300505&cm_vc=WSPRRZ1

rturk · ‎09-09-2013

Hi xvxt006,

Try this:

<base search> | regex uri="(Chaser)"

Reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex

EDIT: Oh wait... you said case insensitive...

<base search> uri="*chaser*"

By default, search terms are case insensitive

Let me know how you get along 🙂

View solution in original post

rturk · ‎09-09-2013

Hi xvxt006,

Try this:

<base search> | regex uri="(Chaser)"

Reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex

EDIT: Oh wait... you said case insensitive...

<base search> uri="*chaser*"

By default, search terms are case insensitive

Let me know how you get along 🙂

xvxt006 · ‎09-09-2013

Hi, Thank you. It worked. i used this..did not know that it would be that simple 🙂
regex uri="(?i)(Chaser)". Do you know why it did not work when i had this? Anyways thank you so much for your help.

(?i)Chaser(?:[^"])

Regex to capture uris with a particular word

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Regex to capture uris with a particular word

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases