Solved: Re: Splunk newbie question

ncorchado · ‎05-23-2012

Given my apache access_log URI is /Foobar/FoobarServices, I want to extract Foobar only for my timechart. makemv delim="/" allowempty=t uri returns Foobar and FoobarServices. All I want is the Foobar. How do I do that?

makemv delim="/" allowempty=t uri | timechart count by uri

Thanks!

ncorchado · ‎05-23-2012

Got it
sourcetype="access_combined" | rex field=uri "^/(?.+?)/" | timechart count by JVM
Thanks!

View solution in original post

dmaislin_splunk · ‎05-23-2012

Cool, please accept the answer and select the up arrow then.

ncorchado · ‎05-23-2012

Got it
sourcetype="access_combined" | rex field=uri "^/(?.+?)/" | timechart count by JVM
Thanks!

dmaislin_splunk · ‎05-23-2012

Did you get a new field on the left called newfield with this information?

ncorchado · ‎05-23-2012

Yes. I tried your recommendation and I still get /Foobar/FoobarServices. I just want to capture Foobar.

dmaislin_splunk · ‎05-23-2012

Are you just trying to extract information between the / and create a new field?

sourcetype="access_combined" | rex field=uri "^/(?.+?)/"

Something like this?

Splunk newbie question

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes