Splunk Search

extract url and product.

sandeepmakkena
Contributor

mess.url= /ae-business/shop/question/answer/product/HHRM2M/B?furl=bd2b75a1e85553a64aa4df2c47c93e049ccfe0d07f5dc518f9559717d83908ab6ff115411b3efea9d64cb1a097af5b6907eb6207f809449562d6003fa594d6f3

I am able to trim it with this rex

| rex field=mess.uri "^(?.+?)\?"

which is giving me /ae-business/shop/question/answer/product/HHRM2M/B but, I want to trim of anything before shop and get any thing after product into new filed.
I am looking for something like this shop/question/answer/product and productcode= HHRM2M/B
Thanks for your time.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi sandeepmakkena,
your regex isn't readable, please use the Code Sample (the one with 101010) button to display regexes.

Anyway, try something like this:

| ...
| rex "\/[^\/]*(?<url>.*product)\/(?<productcode>.*)"

you can test it at https://regex101.com/r/313FWE/2

Bye.
Giuseppe

View solution in original post

0 Karma

sandeepmakkena
Contributor
| rex field=mess.uri "^(?.+?)\?"

Here is the rex I am using.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi sandeepmakkena,
your regex isn't readable, please use the Code Sample (the one with 101010) button to display regexes.

Anyway, try something like this:

| ...
| rex "\/[^\/]*(?<url>.*product)\/(?<productcode>.*)"

you can test it at https://regex101.com/r/313FWE/2

Bye.
Giuseppe

0 Karma

sandeepmakkena
Contributor

I you can treat any think after /shop/ till product/ as a url and code after that as productcode nether than matching .
I don't how to express in rex. /shop/...../product/ as url and something like this as HHRM2M/B productcode.

0 Karma

sandeepmakkena
Contributor

This works for the url part but in productcode I see this "HHRM2M/B?furl=bd2b75a1e85553a64aa4df2c47c93e049ccfe0d07f5dc518f9559717d83908ab6ff115411b3efea9d64cb1a097af5b6907eb6207f809449562d6003fa594d6f3" but, I just want that to only HHRM2M/B and And also I am getting error on "Streamed search execute failed because: Error in 'rex' command: regex="\/[^\/](?.*product)\/(?.)" has exceeded configured match_limit, consider raising the value in limits.conf"

Thanks for your time.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...