Solved: Re: Splunk newbie question

ncorchado · ‎05-23-2012

Given my apache access_log URI is /Foobar/FoobarServices, I want to extract Foobar only for my timechart. makemv delim="/" allowempty=t uri returns Foobar and FoobarServices. All I want is the Foobar. How do I do that?

makemv delim="/" allowempty=t uri | timechart count by uri

Thanks!

ncorchado · ‎05-23-2012

Got it
sourcetype="access_combined" | rex field=uri "^/(?.+?)/" | timechart count by JVM
Thanks!

View solution in original post

dmaislin_splunk · ‎05-23-2012

Cool, please accept the answer and select the up arrow then.

ncorchado · ‎05-23-2012

Got it
sourcetype="access_combined" | rex field=uri "^/(?.+?)/" | timechart count by JVM
Thanks!

dmaislin_splunk · ‎05-23-2012

Did you get a new field on the left called newfield with this information?

ncorchado · ‎05-23-2012

Yes. I tried your recommendation and I still get /Foobar/FoobarServices. I just want to capture Foobar.

dmaislin_splunk · ‎05-23-2012

Are you just trying to extract information between the / and create a new field?

sourcetype="access_combined" | rex field=uri "^/(?.+?)/"

Something like this?

Splunk newbie question

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!