Solved: Re: extract uri

sandeepmakkena · ‎10-07-2019

/hk-zh/shop/buy-phone/phone-1/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-256gb-%E9%8A%80%E8%89%B2 1059
/hk/shop/buy-phone/phoneSS/5.5-inch-display-128gb-rose-gold 493
/hk-zh/shop/buy-phone/one6/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E7%8E%AB%E7%91%B0%E9%87%91%E8%89%B2   375
/shop/buy-tab/mini-3/128gb-gold-wifi    90
/shop/buy-tab/mini-3/128gb-silver-wifi  90
/hk-zh/shop/buy-phone/phone-sm/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E9%8A%80%E8%89%B2 60
/hk-zh/shop/buy-phone/phone-ap/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E4%BA%AE%E9%BB%91%E8%89%B2    59
/hk-zh/shop/buy-phone/phone-lg/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E5%A4%AA%E7%A9%BA%E7%81%B0    59

I want to extract URL starting from /shop/..... till special char like %E5 something.
Something like this.
/shop/buy-phone/phone-1/5.8
/shop/buy-phone/phoneSS/5.5-inch-display-128gb-rose-gold
/shop/buy-phone/one6/5.5
/shop/buy-tab/mini-3/128gb-gold-wifi
/shop/buy-tab/mini-3/128gb-silver-wifi

vasanthmss · ‎10-07-2019

Try the below run anywhere search,

|makeresults | eval url=split(("/hk-zh/shop/buy-phone/phone-1/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-256gb-%E9%8A%80%E8%89%B2    1059,
/hk/shop/buy-phone/phoneSS/5.5-inch-display-128gb-rose-gold    493,
/hk-zh/shop/buy-phone/one6/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E7%8E%AB%E7%91%B0%E9%87%91%E8%89%B2    375,
/shop/buy-tab/mini-3/128gb-gold-wifi    90,
/shop/buy-tab/mini-3/128gb-silver-wifi    90,
/hk-zh/shop/buy-phone/phone-sm/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E9%8A%80%E8%89%B2    60,
/hk-zh/shop/buy-phone/phone-ap/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E4%BA%AE%E9%BB%91%E8%89%B2    59,
/hk-zh/shop/buy-phone/phone-lg/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E5%A4%AA%E7%A9%BA%E7%81%B0    59"),",")
|mvexpand url
| eval decoded_url=urldecode(url)
| rex field=url "shop(?<ex_url>[a-zA-Z\/\-0-9\.]+)"
| rex field=ex_url mode=sed "s/-$//g"
| eval ex_url="/shop"+ex_url
| table url, decoded_url, ex_url

url- actual url from samples
decoded_url - decoded url using urldecode function.
ex_url - is the extracted url.

Hope this helps you..

Cheers !!!

V

View solution in original post

kiamco · ‎10-07-2019

try something like this

| your search | rex field=`some_field` "(?<=\/shop)(?<uri>[a-zA-Z-0-9.\/-]+)" | table uri

vasanthmss · ‎10-07-2019

Try the below run anywhere search,

|makeresults | eval url=split(("/hk-zh/shop/buy-phone/phone-1/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-256gb-%E9%8A%80%E8%89%B2    1059,
/hk/shop/buy-phone/phoneSS/5.5-inch-display-128gb-rose-gold    493,
/hk-zh/shop/buy-phone/one6/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E7%8E%AB%E7%91%B0%E9%87%91%E8%89%B2    375,
/shop/buy-tab/mini-3/128gb-gold-wifi    90,
/shop/buy-tab/mini-3/128gb-silver-wifi    90,
/hk-zh/shop/buy-phone/phone-sm/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E9%8A%80%E8%89%B2    60,
/hk-zh/shop/buy-phone/phone-ap/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E4%BA%AE%E9%BB%91%E8%89%B2    59,
/hk-zh/shop/buy-phone/phone-lg/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E5%A4%AA%E7%A9%BA%E7%81%B0    59"),",")
|mvexpand url
| eval decoded_url=urldecode(url)
| rex field=url "shop(?<ex_url>[a-zA-Z\/\-0-9\.]+)"
| rex field=ex_url mode=sed "s/-$//g"
| eval ex_url="/shop"+ex_url
| table url, decoded_url, ex_url

url- actual url from samples
decoded_url - decoded url using urldecode function.
ex_url - is the extracted url.

Hope this helps you..

Cheers !!!

V

extract uri

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation