Splunk Search

Regex to start with specific characters

xvxt006
Contributor

Hi, i would like to get all the requests that start with / and there will be few alpha numeric characters and then ends with .css or .js, etc.

i have tried ^/*.(css|js) but did not work. Any suggestions?

Sample requests

/B387_38.css
/Globalfile.js
Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Well, you probably should not start the regex with a caret (^), unless you want to start your matching from the very beginning of the event. Also, there seems to be some confusion regarding regex wildcard characters.

* = match the preceding character zero or more times
. = match any character (once)

"slash, followed by a few alphanums, followed by dot, followed by either css or js" would look like;

/[A-Za-z0-9]+\.(js|css)

if you also want underscore to match in the filename, you can actually shorten the expression

/\w+\.(js|css)

Note, if you want to use the regex search command, you might need to specify more things, like a field to operate on, or quoting.

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Regex

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

Well, you probably should not start the regex with a caret (^), unless you want to start your matching from the very beginning of the event. Also, there seems to be some confusion regarding regex wildcard characters.

* = match the preceding character zero or more times
. = match any character (once)

"slash, followed by a few alphanums, followed by dot, followed by either css or js" would look like;

/[A-Za-z0-9]+\.(js|css)

if you also want underscore to match in the filename, you can actually shorten the expression

/\w+\.(js|css)

Note, if you want to use the regex search command, you might need to specify more things, like a field to operate on, or quoting.

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Regex

0 Karma

kristian_kolb
Ultra Champion

yep, if you use a field to operate on, the caret is relative to the field value.

0 Karma

Ayn
Legend

Add the initial caret.

0 Karma

xvxt006
Contributor

Thank you Kristian. the pattern i gave is uri and it always starts with / so that is why i had ^. So if i wanted to start with should i just add ^ at the beginning for the regex expression.

When i use the regex you have given, i am getting

/mobile/m/shared/css/global.css
/js/grainger/addtocartajax.js

which is not the format i am looking for (/B387_38.css or
/Globalfile.js). Do you know what to change?

0 Karma

kristian_kolb
Ultra Champion

OOPS. A typo in the regexs. Fixed that now.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...