Splunk Search

Regex to start with specific characters

xvxt006
Contributor

Hi, i would like to get all the requests that start with / and there will be few alpha numeric characters and then ends with .css or .js, etc.

i have tried ^/*.(css|js) but did not work. Any suggestions?

Sample requests

/B387_38.css
/Globalfile.js
Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Well, you probably should not start the regex with a caret (^), unless you want to start your matching from the very beginning of the event. Also, there seems to be some confusion regarding regex wildcard characters.

* = match the preceding character zero or more times
. = match any character (once)

"slash, followed by a few alphanums, followed by dot, followed by either css or js" would look like;

/[A-Za-z0-9]+\.(js|css)

if you also want underscore to match in the filename, you can actually shorten the expression

/\w+\.(js|css)

Note, if you want to use the regex search command, you might need to specify more things, like a field to operate on, or quoting.

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Regex

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

Well, you probably should not start the regex with a caret (^), unless you want to start your matching from the very beginning of the event. Also, there seems to be some confusion regarding regex wildcard characters.

* = match the preceding character zero or more times
. = match any character (once)

"slash, followed by a few alphanums, followed by dot, followed by either css or js" would look like;

/[A-Za-z0-9]+\.(js|css)

if you also want underscore to match in the filename, you can actually shorten the expression

/\w+\.(js|css)

Note, if you want to use the regex search command, you might need to specify more things, like a field to operate on, or quoting.

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Regex

0 Karma

kristian_kolb
Ultra Champion

yep, if you use a field to operate on, the caret is relative to the field value.

0 Karma

Ayn
Legend

Add the initial caret.

0 Karma

xvxt006
Contributor

Thank you Kristian. the pattern i gave is uri and it always starts with / so that is why i had ^. So if i wanted to start with should i just add ^ at the beginning for the regex expression.

When i use the regex you have given, i am getting

/mobile/m/shared/css/global.css
/js/grainger/addtocartajax.js

which is not the format i am looking for (/B387_38.css or
/Globalfile.js). Do you know what to change?

0 Karma

kristian_kolb
Ultra Champion

OOPS. A typo in the regexs. Fixed that now.

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...