Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Yet another regex question

dbcase
Motivator
‎09-16-2016 07:00 PM

Hi,

I have data that looks like this

127.0.0.1 - dancase@icontrol.com [16/Sep/2016:15:34:57.025 +0000] "GET /en-US/splunkd/__raw/services/messages?output_mode=json&sort_key=timeCreated_epochSecs&sort_dir=desc&_=1474040107540 HTTP/1.0" 200 306 "https://icontrol.splunkcloud.com/en-US/app/search/cpe_diagnostics" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" - a06114bf70eddcfcc771658760d1919d 0ms

I'm trying to match on the last segment of the URL

I have regex that looks like this

 rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"

which sort of works.... it picks up the extra " at the end so in this case I get cpediagnostics" when all I want is cpediagnostics

Some of the other events have the same URL but without the trailing " and the regex works for those.

Tags (2)
0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: Yet another regex question

twinspop
Influencer
‎09-16-2016 07:53 PM

Add the double-quote to your exclusion class:

rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?\s\"]+)"

View solution in original post

0 Karma
Reply
Highlighted
Solved! Jump to solution

Re: Yet another regex question

dbcase
Motivator
‎09-16-2016 07:55 PM

Thanks twinspop!!!

0 Karma
Reply
Highlighted
Solved! Jump to solution

Re: Yet another regex question

twinspop
Influencer
‎09-16-2016 07:57 PM

No problemo. Glad I could help. 🙂

0 Karma
Reply