Solved: How do I edit my regular expression to search for ...

dbcase · ‎08-23-2016

Hi,

I'm having a dickens of a time trying to figure out how to use a question mark as the termination of a search for regex. My data looks like this

####     <[ACTIVE] ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1470912327355>  <[STUCK] ExecuteThread: '18' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy for "662" seconds working on the request "Workmanager: mediaUpload-workManager, Version: 0, Scheduled=true, Started=true, Started time: 662872 ms
[
POST /cameraProxy/video?token=MTE0NTg5OjExNDU4OS4xNDcwMzgzNzc1OjExNDU4OS4zOjExNDU4OV83ODAzNDM2NTE3X3ZfMTM2NF80MjM4MjUwOTo2MDAyNTM= HTTP/1.1

And I'm trying to match on the ? just at the end of the /cameraProxy/video URL. My umpteenth try at the regex looks like this

GET\s|POST\s+(?<status>\/\w+\/\w+)

Which works, but if the URL is digits instead of a word, it wouldn't match. Ideally I'd like to search for the GET / POST, then the space, then match everything up to the ? mark.

sundareshr · ‎08-23-2016

Try this

 GET\s|POST\s+(?<status>\/[^\?]+)

View solution in original post

sundareshr · ‎08-23-2016

Try this

 GET\s|POST\s+(?<status>\/[^\?]+)

dbcase · ‎08-23-2016

One day my goal is to be as smart as you Sundareshr! 🙂

sundareshr · ‎08-23-2016

Your goal is very near, my friend 🙂

How do I edit my regular expression to search for a question mark in a string?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!