Splunk Search

Yet another regex question

dbcase
Motivator

Hi,

I have data that looks like this

127.0.0.1 - dancase@icontrol.com [16/Sep/2016:15:34:57.025 +0000] "GET /en-US/splunkd/__raw/services/messages?output_mode=json&sort_key=timeCreated_epochSecs&sort_dir=desc&_=1474040107540 HTTP/1.0" 200 306 "https://icontrol.splunkcloud.com/en-US/app/search/cpe_diagnostics" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" - a06114bf70eddcfcc771658760d1919d 0ms

I'm trying to match on the last segment of the URL

I have regex that looks like this

 rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"

which sort of works.... it picks up the extra " at the end so in this case I get cpe_diagnostics" when all I want is cpe_diagnostics

Some of the other events have the same URL but without the trailing " and the regex works for those.

Tags (2)
0 Karma
1 Solution

twinspop
Influencer

Add the double-quote to your exclusion class:

rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?\s\"]+)"

View solution in original post

0 Karma

twinspop
Influencer

Add the double-quote to your exclusion class:

rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?\s\"]+)"
0 Karma

dbcase
Motivator

Thanks twinspop!!!

0 Karma

twinspop
Influencer

No problemo. Glad I could help. 🙂

0 Karma
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...