Splunk Search

regex only first occurrance

sreesh
New Member

logs
source=/api/docker/docker-snapshot-demo/v2/pdap/pdap-validator-router/manifests/1.0.aws
source=/api/docker/docker-snapshot/v2/mode-date/mod-validator-router/manifests/1.0.aws

we want to extract the first occurrence of string that has min of 1 hyphen and max of 2 hyphens into separate filed. In above example, only "docker-snapshot-eis" and "docker-snapshot" should be extracted into different filed.
tried "\w*[-]\w*" and "\b\w*[-']\w*\b" but has challenge limiting to first occurrence and range specifier.

Tags (2)
0 Karma
1 Solution

PavelP
Motivator

Hello @sreesh,

please try

^[^\-]+\/([^\/\-]+\-[^\/\-]+\-?[^\/\-]*)\/

https://regex101.com/r/1DpHfH/1

View solution in original post

0 Karma

PavelP
Motivator

Hello @sreesh,

please try

^[^\-]+\/([^\/\-]+\-[^\/\-]+\-?[^\/\-]*)\/

https://regex101.com/r/1DpHfH/1

0 Karma

sreesh
New Member

it worked, thanks Pavel

0 Karma

sreesh
New Member

Doing inline field extraction using rex. The output is a bit different
source=request.log | rex "(?^[^-]+\/([^\/-]+-[^\/-]+-?[^\/-])\/)" | stats count by Repo

output
20200513125800|0|REQUEST| 10.20.39.233 |non_authenticated_user|GET|/api/docker/docker-login/

while I require only docker-login in Repo filed. Other files already extracted using delimeter
the Resource field value is /api/docker/docker-login/

0 Karma

PavelP
Motivator

@sreesh for inline regex use

| rex field=source "^[^\-]+\/(?<Repo>[^\/\-]+\-[^\/\-]+\-?[^\/\-]*)\/"
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...