Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: help with regex
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
01-31-2018
01:00 PM
I have the below sample data, and I want to extract everything after the service URL till maxd=60&mind=60 into a new field called service.
I have used (?i) url: (?P.+?)\w+= but it is not extracting completly
31 Jan 2018 20:22:13 [INFO ] AD Transaction: timestamp: 1513204259, transactionID: 2899739, reqID: 3022368026, uuid: 72dca744-b342-4aac-9861-005056b21335, type: ad request, transaction: start, service url: http://mrm.mdc.time.com/ad/p/1?nw=376521&mode=live&vdur=600&flag=+sltp+amsl+ssus+amcb+dtrd&metr=1031..., client url: http://mmdai-linear-west-01.time.com
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-31-2018
06:22 PM
try this also:
...| rex "(?i)service url:\s*(?<service>.*)&maxd=60&mind=60"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-31-2018
10:24 PM
hey try this run anywhere search
| makeresults
| eval _raw="31 Jan 2018 20:22:13 [INFO ] AD Transaction: timestamp: 1513204259, transactionID: 2899739, reqID: 3022368026, uuid: 72dca744-b342-4aac-9861-005056b21335, type: ad request, transaction: start, service url: http://mrm.mdc.time.com/ad/p/1?nw=376521&mode=live&vdur=600&flag=+sltp+amsl+ssus+amcb+dtrd&metr=1031..., client url: http://mmdai-linear-west-01.time.com";
| rex field=_raw "service\surl\:\s+(?<service_URL>.*)&maxd=60&mind=60"
In your environment, you should write
<base_search> | rex field=_raw "service\surl\:\s+(?<service_URL>.*)&maxd=60&mind=60"
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-31-2018
06:22 PM
try this also:
...| rex "(?i)service url:\s*(?<service>.*)&maxd=60&mind=60"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
02-01-2018
08:43 AM
This helped,made some changes to it..Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
01-31-2018
01:13 PM
How about trying this:
your query to return events
| rex "service url:\s*(?<service>.*)&maxd=60&mind=60"
| table service
see extraction here
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
