Splunk Search
Highlighted

Why is the regular expression to match URI patterns in my Splunk search not working as expected?

New Member

I want to match the line 1 and line 5 pattern kind of URI in my search

/services/contracts/D7C3D8AD7B616D7ABA7B
/services/contracts/?owner_id=36E6057857FB41820A494109
/services/contracts/FMOTSNQ2ETDLYLCWYVLB/purchased
/services/contracts/FMOTSNQ2ETDLYLCWYVLB/config
/services/contracts/D7C3D8AD7B616D7ABA7B

Regular expression I am using
\/services\/contracts\/[a-zA-z0-9]{20}$

I have tested the above data with regex I have created in below sites
where people suggested here to check your regular expression

http://www.regexpal.com/ and
http://regexr.com/
It is returning me the expected results

When I apply the same in Splunk, it is not working. Any suggestions would be appreciated

| regex_raw="\/services\/contracts\/[a-zA-z0-9]{20}$"
0 Karma
Highlighted

Re: Why is the regular expression to match URI patterns in my Splunk search not working as expected?

Legend

I just tried this (run anywhere sample) and it works for me. I noticed there's no space between regex and _raw, but that may be just a typo in posting.

| makeresults | eval x=" /services/contracts/D7C3D8AD7B616D7ABA7B;/services/contracts/?owner_id=36E6057857FB41820A494109;/services/contracts/FMOTSNQ2ETDLYLCWYVLB/purchased;/services/contracts/FMOTSNQ2ETDLYLCWYVLB/config;/services/contracts/D7C3D8AD7B616D7ABA7B" | makemv x delim=";" | mvexpand x | regex x="\/services\/contracts\/[a-zA-z0-9]{20}$"
0 Karma
Highlighted

Re: Why is the regular expression to match URI patterns in my Splunk search not working as expected?

New Member

alt text

To be more exact above data is like below.It is not working in splunk.I tried below data with inline it is not working and splunk search is returning some other data.

127.0.0.1 - - [10/Oct/2016:22:06:43 +0000] "GET /services/contracts/443BF039529E5F683DAB HTTP/1.0" 200 2071 0.132
127.0.0.1 - - [10/Oct/2016:22:06:43 +0000] "GET /services/contracts/443BF039529E5F683DAB HTTP/1.0" 200 2071 0.132
127.0.0.1 - - [10/Oct/2016:22:06:43 +0000] "GET /services/contracts/443BF039529E5F683DAB HTTP/1.0" 200 2071 0.132

Anyways I have figured out the missing thing the following change helped me what I was looking
I should also say in my regex followed by a \s which will not pick up other uris

"\/services\/program-contracts\/[a-zA-Z0-9]{20}\s"

0 Karma
Highlighted

Re: Why is the regular expression to match URI patterns in my Splunk search not working as expected?

Splunk Employee
Splunk Employee

Hi uday88,

I think you should remove the dollar sign ($) at the end of the regex; just use the following instead:

| regex_raw="\/services\/contracts\/[a-zA-z0-9]{20}$"

$ indicates the end of a string, which is not what you are looking for.

Hope it helps. Thanks!
Hunter Shen

0 Karma
Highlighted

Re: Why is the regular expression to match URI patterns in my Splunk search not working as expected?

New Member

Thanks hunter for your reply.I have added my changes in the previous comment.

I have added a space encounter need to be followed by my regex.So it will only pick URI I am interested.
If I remove $ or keep it will still pick up other matching URI as well

regex need to be this.I have added to the last in my previous comment.
"\/services\/program-contracts\/[a-zA-Z0-9]{20}\s"

0 Karma