Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex with forward slash character

Keyrl
Explorer
‎01-27-2017 07:04 AM

Hi,

I'm trying to extract to fields from a precalculated field and so far I've trouble with the forward slash character.
My field is formed like this:

FieldGlobal=Field1/Field2

I've tried the following : rex field=FieldGloba "(?[a-zA-Z0-9]+)\/(?[a-zA-Z0-9]+)"

So far, it works for a lot of logs but for some, it gave something like:

FieldExtracted1=Field1%2fField2

Do you know how to work with that ?

Regards

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Keyrl
Explorer
‎01-27-2017 08:08 AM

I got my problem ...
The logs I was trying to parse was Internet access logs.
I was trying to separate the Mime Type field precalculated which was formed like this:
mt=video/mp4 for example.

My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"|

And ... I discover that some logs include in the URL the "mime" value ...
So the treatment I was trying to do was also based on this value ...

I've corrected the name of the extracted field and it's working fine ...

Thanks a lot for your help !!!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Keyrl
Explorer
‎01-27-2017 08:08 AM

I got my problem ...
The logs I was trying to parse was Internet access logs.
I was trying to separate the Mime Type field precalculated which was formed like this:
mt=video/mp4 for example.

My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"|

And ... I discover that some logs include in the URL the "mime" value ...
So the treatment I was trying to do was also based on this value ...

I've corrected the name of the extracted field and it's working fine ...

Thanks a lot for your help !!!!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 08:38 AM

Glad things are working for you now. You can accept your own answer to make this question as resolved.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 07:35 AM

Give this a try

your base search | rex field=FieldGloba "(?<FieldExtracted1>[^\/]+)\/(?<FieldExtracted1>.+)"
0 Karma
Reply
Solved! Jump to solution

Keyrl
Explorer
‎01-27-2017 07:40 AM

Thanks for your help !

Same result apparently. I still have the "/" character that seems to be converted as %2F in some logs ...

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 07:42 AM

I guess the raw data itself contains the that forwarder slash converted to %2F. So how about this?

your base search | rex field=FieldGloba "(?<FieldExtracted1>.)(\/|%2F)(?<FieldExtracted1>.+)"
0 Karma
Reply
Solved! Jump to solution

Keyrl
Explorer
‎01-27-2017 07:52 AM

Mmhhh already tried it and it's even worse 🙂
I don't understand why as it should match ...

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 07:56 AM

Well at this time, I would ask for sample events (scrub any sensitive information) for both scenarios ( where it's working and where it's not).

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...