Splunk Search

How to extract data from a line containing words with "/" between them?

kostasKats
Explorer

I have the below line :

Parameters: {"referrer"=>"http://www.xxxxx.net/transport_deeplink/4.0/EE/en-gb/EUR

and I want to use a regex command (rex field=_raw) in order to count them by:

domain: http://www.xxxxx.net
country: EE
language: en-gb
currency: EUR

Can please someone help me with this?

0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

If the structure is always the same, this should work:

\=\>\"(?<domain>http:\/\/[^\/]+)(?:\/[^\/]+){2}\/(?<country>[^\/]+)\/(?<language>[^\/]+)\/(?<currency>[^\/]+)

Place it in your rex like this:

... | rex field=_raw "\=\>\"(?<domain>http:\/\/[^\/]+)(?:\/[^\/]+){2}\/(?<country>[^\/]+)\/(?<language>[^\/]+)\/(?<currency>[^\/]+)" | ...

PS: you should check/develop your regexes with something like https://regex101.com/, it actually makes regex fun 🙂

View solution in original post

jeffland
SplunkTrust
SplunkTrust

If the structure is always the same, this should work:

\=\>\"(?<domain>http:\/\/[^\/]+)(?:\/[^\/]+){2}\/(?<country>[^\/]+)\/(?<language>[^\/]+)\/(?<currency>[^\/]+)

Place it in your rex like this:

... | rex field=_raw "\=\>\"(?<domain>http:\/\/[^\/]+)(?:\/[^\/]+){2}\/(?<country>[^\/]+)\/(?<language>[^\/]+)\/(?<currency>[^\/]+)" | ...

PS: you should check/develop your regexes with something like https://regex101.com/, it actually makes regex fun 🙂

kostasKats
Explorer

Thank you very much jeff it worked perfect!

I would check https://regex101.com/, but do you have any sites/sources that have dictionary or anything else that would help me learn how to use the regex from the start?

I would like to learn how to use those commands: "\/\/[^\/]+"! At the time being I know/understand only the basic structure like:
\d
\D
\w

\W

0 Karma

jeffland
SplunkTrust
SplunkTrust

http://www.regexr.com/ is sometimes helpful with more explicit explanations when looking at specific regexes, but http://www.regular-expressions.info/ is IMHO the best source for more general explanations.

Also, please post regexes as code here on splunk answers - otherwise the markup will mess them up.

kostasKats
Explorer

Thank you again jeffland,

What do you mean by: "Also, please post regexes as code here on splunk answers - otherwise the markup will mess them up" ?

Do you mean the tag I used for the question?

0 Karma

jeffland
SplunkTrust
SplunkTrust

Have a look at the buttons above the text editor - you'll see one for bold, italic and eventually one for marking stuff as code. Please use it on regexes, otherwise they will look like they do in your previous posts (e.g. backslashes can get lost, angular brackets and their content are dropped etc).
Alternatively, start such phrases which contain special characters (e.g. regexes) with an acute accent () and close it with the same character again which will yieldsomething like this`, or leave one line empty and indent the next one by four spaces

which will yield this (better for longer code)

kostasKats
Explorer

Got it! Thank you very much for your advice's Jeff I will keep in mind the code-button next time I will post here.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...