Splunk Search

How to extract field using mode=sed for name extraction?

karthi2809
Contributor

How to extract field using mode=sed for name extraction?

index=test Sender=PEGAS | rex field= URI"^(?.+?)(\?|\z)" | rex field=URI mode=sed "s/[0-9A-F]{32}/#####/g"
| rex field=URI mode=sed "s/[0-9]{7}[\w]{2}[\d]{4}/#####/g"
| stats count by URI

My output :alt text

Expected result :

alt text

Tags (4)

saurabhkharkar
Path Finder

Try This , i replaced the '?' in the sting by '/' - Now the string that you want would be everything before the last '/'

| makeresults
| eval _raw="/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58"
| rex mode=sed field=_raw "s/\?/\//g"
| rex field=_raw "(?<_raw>.*)\/"

0 Karma

niketn
Legend

@karthi2809, can you use the code button (101010) on Splunk Answers to post your SPL so that special characters do not escape? Also values in your current output feel similar to expected output. What is the difference you want to see? Can you give example value of field URI and what you need to extract/convert in the same?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

karthi2809
Contributor

My output:
/v0/providers/codes/list/LANGUAGES

/v0/providers/codes/list/PATIENT_PREFERENCES

/v0/providers/codes/list/PROVIDER_TYPES
/v0/providers/details/byid/#####?sourcesystemid=0

/v0/providers/professionals/search

/v0/providers/specialities/list/C?levelofcareind=false

/v0/providers/specialities/list/C?levelofcareind=true

/v0/providers/specialities/list/L?levelofcareind=false
/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58

/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=372A69

Expected result is
/v0/providers/codes/list
/v0/providers/specialities/list
/v1/caremanagement/utilizationmanagementinquiry/casesummary

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You don't want these lines??

/v0/providers/details/byid/#####?sourcesystemid=0 
/v0/providers/professionals/search 
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @karthi2809,

If I am understanding your question correctly you want to extract everything before last / then you can use regex | rex "(?<URI>.*)\/"

Sample query based on sample data which you have provided below query will extract everything before last / and after that I am filtering /v0/providers/code/list/ in where command. First 2 lines in below query used to generate sample data.

| makeresults 
| eval _raw="/v0/providers/code/list/LANGUAGE"
| rex "(?<Extracted_URI>.*)\/"
| where Extracted_URI="/v0/providers/code/list"

So your query will be

< your search>  | rex field=URI "(?<Extracted_URI>.*)\/" | where Extratced_URI="/v0/providers/code/list"
0 Karma

karthi2809
Contributor

There are many API i need to extract all the API

/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58490

/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=372A69838
/v0/providers/codes/list/AREA_OF_EXPERTISE

/v0/providers/codes/list/LANGUAGES

/v0/providers/codes/list/PATIENT_PREFERENCES

/v0/providers/codes/list/PROVIDER_TYPES
/v0/providers/details/byid/#####?sourcesystemid=0

/v0/providers/professionals/search

/v0/providers/specialities/list/C?levelofcareind=false

/v0/providers/specialities/list/C?levelofcareind=true

Expected result :
/v1/caremanagement/utilizationmanagementinquiry/casesummary
/v0/providers/codes/list
/v0/providers/specialities/list

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Expected Results and Output which you have provided have not consistent unique pattern because in /v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58490 this API call you want to extract everything before ? however /v0/providers/specialities/list/C?levelofcareind=false in this API call you want to extract everything before / so can we have unique pattern please ? If not then we can't assume that on which API call you want to extract till which delimiter.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...