Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex with forward slash character

Keyrl
Explorer
‎01-27-2017 07:04 AM

Hi,

I'm trying to extract to fields from a precalculated field and so far I've trouble with the forward slash character.
My field is formed like this:

FieldGlobal=Field1/Field2

I've tried the following : rex field=FieldGloba "(?[a-zA-Z0-9]+)\/(?[a-zA-Z0-9]+)"

So far, it works for a lot of logs but for some, it gave something like:

FieldExtracted1=Field1%2fField2

Do you know how to work with that ?

Regards

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Keyrl
Explorer
‎01-27-2017 08:08 AM

I got my problem ...
The logs I was trying to parse was Internet access logs.
I was trying to separate the Mime Type field precalculated which was formed like this:
mt=video/mp4 for example.

My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"|

And ... I discover that some logs include in the URL the "mime" value ...
So the treatment I was trying to do was also based on this value ...

I've corrected the name of the extracted field and it's working fine ...

Thanks a lot for your help !!!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Keyrl
Explorer
‎01-27-2017 08:08 AM

I got my problem ...
The logs I was trying to parse was Internet access logs.
I was trying to separate the Mime Type field precalculated which was formed like this:
mt=video/mp4 for example.

My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"|

And ... I discover that some logs include in the URL the "mime" value ...
So the treatment I was trying to do was also based on this value ...

I've corrected the name of the extracted field and it's working fine ...

Thanks a lot for your help !!!!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 08:38 AM

Glad things are working for you now. You can accept your own answer to make this question as resolved.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 07:35 AM

Give this a try

your base search | rex field=FieldGloba "(?<FieldExtracted1>[^\/]+)\/(?<FieldExtracted1>.+)"
0 Karma
Reply
Solved! Jump to solution

Keyrl
Explorer
‎01-27-2017 07:40 AM

Thanks for your help !

Same result apparently. I still have the "/" character that seems to be converted as %2F in some logs ...

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 07:42 AM

I guess the raw data itself contains the that forwarder slash converted to %2F. So how about this?

your base search | rex field=FieldGloba "(?<FieldExtracted1>.)(\/|%2F)(?<FieldExtracted1>.+)"
0 Karma
Reply
Solved! Jump to solution

Keyrl
Explorer
‎01-27-2017 07:52 AM

Mmhhh already tried it and it's even worse 🙂
I don't understand why as it should match ...

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 07:56 AM

Well at this time, I would ask for sample events (scrub any sensitive information) for both scenarios ( where it's working and where it's not).

0 Karma
Reply
Get Updates on the Splunk Community!

Best Strategies to Optimize Observability Costs

 Join us on Tuesday, May 6, 2025, at 11 AM PDT / 2 PM EDT for an insightful session on optimizing ...

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...
Top