Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex to return which includes a specific text
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex to return which includes a specific text
Hi,
I am planning to capture all the URIs with word chaser (case in sensitive).
I have used this
| regex uri="(?i)Chaser(?:[^\"])"
but did not get any results. do i need to include anything in the regex?
Thanks for your help.
Below are few examples.
/gdfgfd/N-/Ntt-MILWAUKEEFUEL?pm_sp=CS_Chaser--PO_L3_Multi--werwerdfg
/CHASER-STAKES-rOutdoor-brother-Retractable-6trJ3?we_sp=IO--PDI--RR_VTV70300505&cm_vc=WSPRRZ1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a duplicate question. An accepted answer may be found here: http://answers.splunk.com/answers/101946/regex-to-capture-uris-with-a-particular-word
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a little confused. Do you have a field called uri in the events, or are you trying to extract a field from the events and name that uri?
Would either of these satisfy your needs?
In the rex command you need to remove the space before and after uri
| rex "(?i)(?P< uri >/\S*Chaser\S*)"
or
| regex uri="(?i)/\S*Chaser\S*"
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dave,
I have field called uri and i want to get all the uri which contains "Chaser" in the uri filed. i want the regex. I tried regex uri="(?i)/\S*Chaser\S*" but did not work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I try and execute your regex command I receive the error Mismatched ']'. Do you receive that error, or is there a typo in your post?
If you are getting the mismatched ] error, you probably need to escape the " character. So your regex command would become
| regex uri="(?i)Chaser(?:[^\"])"
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the uri have - in them do you think regex would catch those characters as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes your are right Dave. it was a type.
i tried that regex which you suggested still not getting any data.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
