Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What regular expression do I use to create a new f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New to regular expression....
I'm trying to create a new field called Application that is populated from a part of an results from an existing field called AppDomain. Here's my query to show results
index=webapps host=order* AppDomain="*OrderProcess*" "*error*" OR "*exception*" | rex field=AppDomain "(?)" | stats count by AppDomain
AppDomain
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677359969243
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677360750538
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677362395141
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677362906184
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677397950430
/LM/W3SVC/4/ROOT/OrderProcess-1-131297882853714324
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678334631161
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678335308894
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678335390763
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678335627626
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678336195945
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678337194875
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131297882853714324
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131296677773203879
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131296678051860064
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131296678052119089
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131297720946816171
I'm only interested in the the OrderProcess portion so the regular expression should begin after the ROOT/ and before -1 or -2 -d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the position of the OrderProcess portion is fixed (5th segment from start), try like this
index=webapps host=order* AppDomain="*OrderProcess*" "*error*" OR "*exception*" | rex field=AppDomain "^\/([^\/]+\/){4}(?<AppDomain>[^-]+)" | stats count by AppDomain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the position of the OrderProcess portion is fixed (5th segment from start), try like this
index=webapps host=order* AppDomain="*OrderProcess*" "*error*" OR "*exception*" | rex field=AppDomain "^\/([^\/]+\/){4}(?<AppDomain>[^-]+)" | stats count by AppDomain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @somesoni2, that works great! Would you mind explaining what the regex does to cut off the end of the query and start with appdomain?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The ^\/ denotes the start of the event, including first forward slash. From there ([^\/]+\/) captures all characters till next forward slash, including forward slash (e.g. LM/ , or W3SVC/ etc). The {4} denotes 4 such values, so covers till /anything/anything/anything/anything/, e.g. /LM/W3SVC/5/ROOT/. Then it captures everything till first hypher, that is the values that you're interested in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks that helps me read the regex and for future reference
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
