Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex to return which includes a specific text

xvxt006
Contributor
‎09-09-2013 08:26 AM

Hi,

I am planning to capture all the URIs with word chaser (case in sensitive).

I have used this
| regex uri="(?i)Chaser(?:[^\"])"

but did not get any results. do i need to include anything in the regex?
Thanks for your help.

Below are few examples.

/gdfgfd/N-/Ntt-MILWAUKEEFUEL?pm_sp=CS_Chaser--PO_L3_Multi--werwerdfg
/CHASER-STAKES-rOutdoor-brother-Retractable-6trJ3?we_sp=IO--PDI--RR_VTV70300505&cm_vc=WSPRRZ1

Tags (1)
0 Karma
Reply

rturk
Builder
‎09-10-2013 04:53 AM

This is a duplicate question. An accepted answer may be found here: http://answers.splunk.com/answers/101946/regex-to-capture-uris-with-a-particular-word

0 Karma
Reply

davebrooking
Contributor
‎09-09-2013 10:24 AM

I'm a little confused. Do you have a field called uri in the events, or are you trying to extract a field from the events and name that uri?

Would either of these satisfy your needs?

In the rex command you need to remove the space before and after uri

| rex "(?i)(?P< uri >/\S*Chaser\S*)"

or

| regex uri="(?i)/\S*Chaser\S*"

Dave

0 Karma
Reply

xvxt006
Contributor
‎09-09-2013 10:59 AM

Hi Dave,

I have field called uri and i want to get all the uri which contains "Chaser" in the uri filed. i want the regex. I tried regex uri="(?i)/\S*Chaser\S*" but did not work

0 Karma
Reply

davebrooking
Contributor
‎09-09-2013 09:35 AM

When I try and execute your regex command I receive the error Mismatched ']'. Do you receive that error, or is there a typo in your post?

If you are getting the mismatched ] error, you probably need to escape the " character. So your regex command would become 

 | regex uri="(?i)Chaser(?:[^\"])"

Dave

0 Karma
Reply

xvxt006
Contributor
‎09-09-2013 09:43 AM

the uri have - in them do you think regex would catch those characters as well?

0 Karma
Reply

xvxt006
Contributor
‎09-09-2013 09:43 AM

Yes your are right Dave. it was a type.

i tried that regex which you suggested still not getting any data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...