Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: help with regex
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
01-31-2018
01:00 PM
I have the below sample data, and I want to extract everything after the service URL till maxd=60&mind=60 into a new field called service.
I have used (?i) url: (?P.+?)\w+= but it is not extracting completly
31 Jan 2018 20:22:13 [INFO ] AD Transaction: timestamp: 1513204259, transactionID: 2899739, reqID: 3022368026, uuid: 72dca744-b342-4aac-9861-005056b21335, type: ad request, transaction: start, service url: http://mrm.mdc.time.com/ad/p/1?nw=376521&mode=live&vdur=600&flag=+sltp+amsl+ssus+amcb+dtrd&metr=1031..., client url: http://mmdai-linear-west-01.time.com
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-31-2018
06:22 PM
try this also:
...| rex "(?i)service url:\s*(?<service>.*)&maxd=60&mind=60"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-31-2018
10:24 PM
hey try this run anywhere search
| makeresults
| eval _raw="31 Jan 2018 20:22:13 [INFO ] AD Transaction: timestamp: 1513204259, transactionID: 2899739, reqID: 3022368026, uuid: 72dca744-b342-4aac-9861-005056b21335, type: ad request, transaction: start, service url: http://mrm.mdc.time.com/ad/p/1?nw=376521&mode=live&vdur=600&flag=+sltp+amsl+ssus+amcb+dtrd&metr=1031..., client url: http://mmdai-linear-west-01.time.com";
| rex field=_raw "service\surl\:\s+(?<service_URL>.*)&maxd=60&mind=60"
In your environment, you should write
<base_search> | rex field=_raw "service\surl\:\s+(?<service_URL>.*)&maxd=60&mind=60"
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
01-31-2018
06:22 PM
try this also:
...| rex "(?i)service url:\s*(?<service>.*)&maxd=60&mind=60"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vrmandadi
Builder
02-01-2018
08:43 AM
This helped,made some changes to it..Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
01-31-2018
01:13 PM
How about trying this:
your query to return events
| rex "service url:\s*(?<service>.*)&maxd=60&mind=60"
| table service
see extraction here
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
