Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Yet another regex question

dbcase
Motivator
‎09-16-2016 07:00 PM

Hi,

I have data that looks like this

127.0.0.1 - [email protected] [16/Sep/2016:15:34:57.025 +0000] "GET /en-US/splunkd/__raw/services/messages?output_mode=json&sort_key=timeCreated_epochSecs&sort_dir=desc&_=1474040107540 HTTP/1.0" 200 306 "https://icontrol.splunkcloud.com/en-US/app/search/cpe_diagnostics" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" - a06114bf70eddcfcc771658760d1919d 0ms

I'm trying to match on the last segment of the URL

I have regex that looks like this

 rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"

which sort of works.... it picks up the extra " at the end so in this case I get cpe_diagnostics" when all I want is cpe_diagnostics

Some of the other events have the same URL but without the trailing " and the regex works for those.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

twinspop
Influencer
‎09-16-2016 07:53 PM

Add the double-quote to your exclusion class:

rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?\s\"]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

twinspop
Influencer
‎09-16-2016 07:53 PM

Add the double-quote to your exclusion class:

rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?\s\"]+)"
0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎09-16-2016 07:55 PM

Thanks twinspop!!!

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎09-16-2016 07:57 PM

No problemo. Glad I could help. 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...