Solved: Yet another regex question

dbcase · ‎09-16-2016

Hi,

I have data that looks like this

127.0.0.1 - dancase@icontrol.com [16/Sep/2016:15:34:57.025 +0000] "GET /en-US/splunkd/__raw/services/messages?output_mode=json&sort_key=timeCreated_epochSecs&sort_dir=desc&_=1474040107540 HTTP/1.0" 200 306 "https://icontrol.splunkcloud.com/en-US/app/search/cpe_diagnostics" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" - a06114bf70eddcfcc771658760d1919d 0ms

I'm trying to match on the last segment of the URL

I have regex that looks like this

 rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?/\s]+)"

which sort of works.... it picks up the extra " at the end so in this case I get cpe_diagnostics" when all I want is cpe_diagnostics

Some of the other events have the same URL but without the trailing " and the regex works for those.

twinspop · ‎09-16-2016

Add the double-quote to your exclusion class:

rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?\s\"]+)"

View solution in original post

twinspop · ‎09-16-2016

Add the double-quote to your exclusion class:

rex "en-US/app/(?<app>[^/]+)/(?<dashboard>[^?\s\"]+)"

dbcase · ‎09-16-2016

Thanks twinspop!!!

twinspop · ‎09-16-2016

No problemo. Glad I could help. 🙂

Yet another regex question

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?

Are you a member of the Splunk Community?

Yet another regex question

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?