Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search Query when having multiple right boundaries...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search Query when having multiple right boundaries.
Hi i would like to get the commands from the below pattern. For example i am looking for search, content, gcom.suggestions.json, etc.
i have used the below query. In the rex i have mentioned to capture (at least i wanted to be) uri part which starts with / and ends with either ? (urls other than /content) or space (for /content uri there is nothing after this). But it is not working properly. Is this how this should be done? when you have multiple left and right boundaries.
sourcetype=access_combined_wcookie host=qalws* LR_VPT_HYBRIS | rex field=uri "(?i)/(?P<command>[\?|\s)" | top limit=100 command
167.115.210.254 - - [18/Dec/2012:11:29:59 -0600] "POST /search?searchQuery=RELAYS%20%20ELECTRIC* HTTP/1.1"
167.115.210.254 - - [18/Dec/2012:11:29:59 -0600] "GET /content HTTP/1.1"
167.115.210.254 - - [18/Dec/2012:11:29:59 -0600] "GET /content HTTP/1.1"
167.115.210.254 - - [18/Dec/2012:11:29:59 -0600] "GET /content/homepage HTTP/1.1"
167.115.210.254 - - [18/Dec/2012:11:29:59 -0600] "GET /gcom.suggestions.json?selectedText=TAPE%20*&start=0&count=Infinity HTTP/1.1"
167.115.210.254 - - [18/Dec/2012:11:29:59 -0600] "POST /search?searchQuery=ADAPTER* HTTP/1.1"
167.115.210.254 - - [18/Dec/2012:11:29:59 -0600] "GET /content/homepage HTTP/1.1"
167.115.210.254 - - [18/Dec/2012:11:29:59 -0600] "POST /search?searchQuery=HYDRAULICS* HTTP/1.1"
167.115.210.254 - - [18/Dec/2012:11:29:59 -0600] "POST /search?searchQuery=COPPER%20TUBING* HTTP/1.1"
167.115.210.254 - - [18/Dec/2012:11:29:59 -0600] "GET /gcom.suggestions.json?selectedText=BEARING|*&start=0&count=Infinity HTTP/1.1"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I have tired and it is working but i wanted to exclude resources like js, css, img, etc.
Si have added this uri != "(?i).*.(?:js|css|png|img|png)" anything needs to be corrected in that?
sourcetype=access_combined_wcookie host=qalws* LR_VPT_HYBRIS uri != "(?i)..(?:js|css|png|img|png)" | rex field=uri "/(?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I will try that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=access_combined_wcookie host=qalws* LR_VPT_HYBRIS
| rex field=uri "/(?P<command>.*?)[?\"]"
should work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been trying to achieve this and it seems I was missing ? after .*
Your comment helped me.
AI for AppInspect
App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community
Operationalizing Entity Risk Score with Enterprise Security 8.3+
