- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What regular expression do I use to create a new f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New to regular expression....
I'm trying to create a new field called Application that is populated from a part of an results from an existing field called AppDomain. Here's my query to show results
index=webapps host=order* AppDomain="*OrderProcess*" "*error*" OR "*exception*" | rex field=AppDomain "(?)" | stats count by AppDomain
AppDomain
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677359969243
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677360750538
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677362395141
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677362906184
/LM/W3SVC/4/ROOT/OrderProcess-1-131296677397950430
/LM/W3SVC/4/ROOT/OrderProcess-1-131297882853714324
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678334631161
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678335308894
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678335390763
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678335627626
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678336195945
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131296678337194875
/LM/W3SVC/4/ROOT/OrderProcessMVC-2-131297882853714324
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131296677773203879
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131296678051860064
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131296678052119089
/LM/W3SVC/5/ROOT/OrderProcessMVC-2-131297720946816171
I'm only interested in the the OrderProcess portion so the regular expression should begin after the ROOT/ and before -1 or -2 -d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the position of the OrderProcess portion is fixed (5th segment from start), try like this
index=webapps host=order* AppDomain="*OrderProcess*" "*error*" OR "*exception*" | rex field=AppDomain "^\/([^\/]+\/){4}(?<AppDomain>[^-]+)" | stats count by AppDomain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the position of the OrderProcess portion is fixed (5th segment from start), try like this
index=webapps host=order* AppDomain="*OrderProcess*" "*error*" OR "*exception*" | rex field=AppDomain "^\/([^\/]+\/){4}(?<AppDomain>[^-]+)" | stats count by AppDomain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @somesoni2, that works great! Would you mind explaining what the regex does to cut off the end of the query and start with appdomain?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The ^\/ denotes the start of the event, including first forward slash. From there ([^\/]+\/) captures all characters till next forward slash, including forward slash (e.g. LM/ , or W3SVC/ etc). The {4} denotes 4 such values, so covers till /anything/anything/anything/anything/, e.g. /LM/W3SVC/5/ROOT/. Then it captures everything till first hypher, that is the values that you're interested in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks that helps me read the regex and for future reference
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
