Solved: Regular Expression for field extraction

brennson90 · ‎11-23-2021

Hi everyone,

i got two URLs which i want to represent in one regex group. The dest Port (443) will be in a seperate group

Here are two examples.

my.url.is.here:443

When i use the following regex "(?<url>[^\s:]+):?" the first example is fine, but the second only catches "http" because it only matches till the ":"

Can someone help and fix my regex?

Thanks.

brennson90 · ‎11-23-2021

Hi, i found the solution "(?<url>.+)(:|\?)"

Anyways, thanks for the support @ITWhisperer

View solution in original post

brennson90 · ‎11-23-2021

Hi, i found the solution "(?<url>.+)(:|\?)"

Anyways, thanks for the support @ITWhisperer

brennson90 · ‎11-23-2021

Hi @ITWhisperer thx for the reply. Now the first number of the dest port is lost.

It captures everything till "my.url.is.here:4"

ITWhisperer · ‎11-23-2021

Please provide the SPL you are using (in a code </> block preferably)

brennson90 · ‎11-23-2021

I'm not 100% sure what you want to see.

This is my search

index=mysearch
| rex "\s(?<url>.+)(:\d|\?)(?<dest_port>\d+)?\s+"

ITWhisperer · ‎11-23-2021

If you don't mind losing the ?, you could use

"(?<url>.+)(:\d|\?)"

Regular Expression for field extraction

regex

rex

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk