Splunk Search
Highlighted

extract url and product.

Contributor

mess.url= /ae-business/shop/question/answer/product/HHRM2M/B?furl=bd2b75a1e85553a64aa4df2c47c93e049ccfe0d07f5dc518f9559717d83908ab6ff115411b3efea9d64cb1a097af5b6907eb6207f809449562d6003fa594d6f3

I am able to trim it with this rex

| rex field=mess.uri "^(?.+?)\?"

which is giving me /ae-business/shop/question/answer/product/HHRM2M/B but, I want to trim of anything before shop and get any thing after product into new filed.
I am looking for something like this shop/question/answer/product and productcode= HHRM2M/B
Thanks for your time.

0 Karma
Highlighted

Re: extract url and product.

Legend

Hi sandeepmakkena,
your regex isn't readable, please use the Code Sample (the one with 101010) button to display regexes.

Anyway, try something like this:

| ...
| rex "\/[^\/]*(?<url>.*product)\/(?<productcode>.*)"

you can test it at https://regex101.com/r/313FWE/2

Bye.
Giuseppe

View solution in original post

0 Karma
Highlighted

Re: extract url and product.

Contributor

This works for the url part but in productcode I see this "HHRM2M/B?furl=bd2b75a1e85553a64aa4df2c47c93e049ccfe0d07f5dc518f9559717d83908ab6ff115411b3efea9d64cb1a097af5b6907eb6207f809449562d6003fa594d6f3" but, I just want that to only HHRM2M/B and And also I am getting error on "Streamed search execute failed because: Error in 'rex' command: regex="\/[^\/](?.product)\/(?.*)" has exceeded configured match_limit, consider raising the value in limits.conf"

Thanks for your time.

0 Karma
Highlighted

Re: extract url and product.

Contributor

I you can treat any think after /shop/ till product/ as a url and code after that as productcode nether than matching .
I don't how to express in rex. /shop/...../product/ as url and something like this as HHRM2M/B productcode.

0 Karma
Highlighted

Re: extract url and product.

Contributor
| rex field=mess.uri "^(?.+?)\?"

Here is the rex I am using.

0 Karma