Splunk Search

extract url and product.

sandeepmakkena
Contributor

mess.url= /ae-business/shop/question/answer/product/HHRM2M/B?furl=bd2b75a1e85553a64aa4df2c47c93e049ccfe0d07f5dc518f9559717d83908ab6ff115411b3efea9d64cb1a097af5b6907eb6207f809449562d6003fa594d6f3

I am able to trim it with this rex

| rex field=mess.uri "^(?.+?)\?"

which is giving me /ae-business/shop/question/answer/product/HHRM2M/B but, I want to trim of anything before shop and get any thing after product into new filed.
I am looking for something like this shop/question/answer/product and productcode= HHRM2M/B
Thanks for your time.

0 Karma
1 Solution

gcusello
Legend

Hi sandeepmakkena,
your regex isn't readable, please use the Code Sample (the one with 101010) button to display regexes.

Anyway, try something like this:

| ...
| rex "\/[^\/]*(?<url>.*product)\/(?<productcode>.*)"

you can test it at https://regex101.com/r/313FWE/2

Bye.
Giuseppe

View solution in original post

0 Karma

sandeepmakkena
Contributor
| rex field=mess.uri "^(?.+?)\?"

Here is the rex I am using.

0 Karma

gcusello
Legend

Hi sandeepmakkena,
your regex isn't readable, please use the Code Sample (the one with 101010) button to display regexes.

Anyway, try something like this:

| ...
| rex "\/[^\/]*(?<url>.*product)\/(?<productcode>.*)"

you can test it at https://regex101.com/r/313FWE/2

Bye.
Giuseppe

0 Karma

sandeepmakkena
Contributor

I you can treat any think after /shop/ till product/ as a url and code after that as productcode nether than matching .
I don't how to express in rex. /shop/...../product/ as url and something like this as HHRM2M/B productcode.

0 Karma

sandeepmakkena
Contributor

This works for the url part but in productcode I see this "HHRM2M/B?furl=bd2b75a1e85553a64aa4df2c47c93e049ccfe0d07f5dc518f9559717d83908ab6ff115411b3efea9d64cb1a097af5b6907eb6207f809449562d6003fa594d6f3" but, I just want that to only HHRM2M/B and And also I am getting error on "Streamed search execute failed because: Error in 'rex' command: regex="\/[^\/](?.*product)\/(?.)" has exceeded configured match_limit, consider raising the value in limits.conf"

Thanks for your time.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...