Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex to return which includes a specific text
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex to return which includes a specific text
Hi,
I am planning to capture all the URIs with word chaser (case in sensitive).
I have used this
| regex uri="(?i)Chaser(?:[^\"])"
but did not get any results. do i need to include anything in the regex?
Thanks for your help.
Below are few examples.
/gdfgfd/N-/Ntt-MILWAUKEEFUEL?pm_sp=CS_Chaser--PO_L3_Multi--werwerdfg
/CHASER-STAKES-rOutdoor-brother-Retractable-6trJ3?we_sp=IO--PDI--RR_VTV70300505&cm_vc=WSPRRZ1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a duplicate question. An accepted answer may be found here: http://answers.splunk.com/answers/101946/regex-to-capture-uris-with-a-particular-word
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a little confused. Do you have a field called uri in the events, or are you trying to extract a field from the events and name that uri?
Would either of these satisfy your needs?
In the rex command you need to remove the space before and after uri
| rex "(?i)(?P< uri >/\S*Chaser\S*)"
or
| regex uri="(?i)/\S*Chaser\S*"
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dave,
I have field called uri and i want to get all the uri which contains "Chaser" in the uri filed. i want the regex. I tried regex uri="(?i)/\S*Chaser\S*" but did not work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I try and execute your regex command I receive the error Mismatched ']'. Do you receive that error, or is there a typo in your post?
If you are getting the mismatched ] error, you probably need to escape the " character. So your regex command would become
| regex uri="(?i)Chaser(?:[^\"])"
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the uri have - in them do you think regex would catch those characters as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes your are right Dave. it was a type.
i tried that regex which you suggested still not getting any data.
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
