Hi Splunker,
I wanted to use a rex command until Splunk can find below parameter in logs:
1) ?
2) sag
3) If both of the options are not there then full statement until the end to be extracted.
My Logs look like this. Any one of the example can come in my logs
Ex-1 "POST /services/api/cumulativeLogo?trespassxyz (I want data to be rexed as POST /services/api/cumulativeLogo)
Ex-2 "POST /services/api/cumulativeLogosag (data to be looked as POST /services/api/cumulativeLogo)
Ex-3 "POST /services/api/cumulativeLogosamplefull.lopend.parameter (data to be rexed as POST /services/api/cumulativeLogosamplefull.lopend.parameter )
Thanks in advance
try this,
| makeresults | eval tst="POST /services/api/cumulativeLogo?trespassxyz#POST /services/api/cumulativeLogosag#POST /services/api/cumulativeLogosamplefull.lopend.parameter" | eval tst=split(tst,"#") | mvexpand tst | rex field=tst "(?<exValue>\S+.*)(\?|sag|$)"
Try this
your base search | rex "\"(?<URI>.+)(\?|sag|$)"
See it working with sample data here: https://regex101.com/r/ApNEXM/1