Splunk Search

Yet another regex question

dbcase
Motivator

Hi,

I have data that looks like this

127.0.0.1 - dancase@icontrol.com [16/Sep/2016:15:34:57.025 +0000] "GET /en-US/splunkd/__raw/services/messages?output_mode=json&sort_key=timeCreated_epochSecs&sort_dir=desc&_=1474040107540 HTTP/1.0" 200 306 "https://icontrol.splunkcloud.com/en-US/app/search/cpe_diagnostics" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" - a06114bf70eddcfcc771658760d1919d 0ms

I'm trying to match on the last segment of the URL

I have regex that looks like this

 rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"

which sort of works.... it picks up the extra " at the end so in this case I get cpe_diagnostics" when all I want is cpe_diagnostics

Some of the other events have the same URL but without the trailing " and the regex works for those.

Tags (2)
0 Karma
1 Solution

twinspop
Influencer

Add the double-quote to your exclusion class:

rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?\s\"]+)"

View solution in original post

0 Karma

twinspop
Influencer

Add the double-quote to your exclusion class:

rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?\s\"]+)"
0 Karma

dbcase
Motivator

Thanks twinspop!!!

0 Karma

twinspop
Influencer

No problemo. Glad I could help. 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...