Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to start with specific characters

xvxt006
Contributor
‎05-30-2013 09:54 AM

Hi, i would like to get all the requests that start with / and there will be few alpha numeric characters and then ends with .css or .js, etc.

i have tried ^/*.(css|js) but did not work. Any suggestions?

Sample requests

/B387_38.css
/Globalfile.js
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-30-2013 10:32 AM

Well, you probably should not start the regex with a caret (^), unless you want to start your matching from the very beginning of the event. Also, there seems to be some confusion regarding regex wildcard characters.

* = match the preceding character zero or more times
. = match any character (once)

"slash, followed by a few alphanums, followed by dot, followed by either css or js" would look like;

/[A-Za-z0-9]+\.(js|css)

if you also want underscore to match in the filename, you can actually shorten the expression 

/\w+\.(js|css)

Note, if you want to use the regex search command, you might need to specify more things, like a field to operate on, or quoting.

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Regex

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-30-2013 10:32 AM

Well, you probably should not start the regex with a caret (^), unless you want to start your matching from the very beginning of the event. Also, there seems to be some confusion regarding regex wildcard characters.

* = match the preceding character zero or more times
. = match any character (once)

"slash, followed by a few alphanums, followed by dot, followed by either css or js" would look like;

/[A-Za-z0-9]+\.(js|css)

if you also want underscore to match in the filename, you can actually shorten the expression 

/\w+\.(js|css)

Note, if you want to use the regex search command, you might need to specify more things, like a field to operate on, or quoting.

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Regex

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-30-2013 02:01 PM

yep, if you use a field to operate on, the caret is relative to the field value.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-30-2013 12:57 PM

Add the initial caret.

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎05-30-2013 11:56 AM

Thank you Kristian. the pattern i gave is uri and it always starts with / so that is why i had ^. So if i wanted to start with should i just add ^ at the beginning for the regex expression.

When i use the regex you have given, i am getting

/mobile/m/shared/css/global.css
/js/grainger/addtocartajax.js

which is not the format i am looking for (/B387_38.css or
/Globalfile.js). Do you know what to change?

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-30-2013 10:37 AM

OOPS. A typo in the regexs. Fixed that now.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...