I'm searching for specific GET requests for example:
GET /wddyr.php?id=41576619113845C1EE http/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
I want to pull out anything that matches this pattern:
{5characters}.php?id={6 random numbers}{12 characters}
The below Regex works but I can't figure out how implement it within Splunk.
[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12}
Hi digital_alchemy,
if you want to get everything into a field called for example getField
use it in a search this way:
your base search here | rex "(?<getField>[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12})" | table getField
or split it into three different fields:
your base search here | rex "(?<getScript>[a-z,A-Z]{5}.php)[?]id=(?<getID>[0-9]{6})(?<getString>[a-z,A-Z,0-9]{12})" | table getScript getID getString
Hope this helps ...
cheers, MuS
Hi digital_alchemy,
if you want to get everything into a field called for example getField
use it in a search this way:
your base search here | rex "(?<getField>[a-z,A-Z]{5}.php[?]id=[0-9]{6}[a-z,A-Z,0-9]{12})" | table getField
or split it into three different fields:
your base search here | rex "(?<getScript>[a-z,A-Z]{5}.php)[?]id=(?<getID>[0-9]{6})(?<getString>[a-z,A-Z,0-9]{12})" | table getScript getID getString
Hope this helps ...
cheers, MuS