How to extract field using mode=sed for name extraction?
index=test Sender=PEGAS | rex field= URI"^(?.+?)(\?|\z)" | rex field=URI mode=sed "s/[0-9A-F]{32}/#####/g"
| rex field=URI mode=sed "s/[0-9]{7}[\w]{2}[\d]{4}/#####/g"
| stats count by URI
My output :
Expected result :
Try This , i replaced the '?' in the sting by '/' - Now the string that you want would be everything before the last '/'
| makeresults
| eval _raw="/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58"
| rex mode=sed field=_raw "s/\?/\//g"
| rex field=_raw "(?<_raw>.*)\/"
@karthi2809, can you use the code button (101010)
on Splunk Answers to post your SPL so that special characters do not escape? Also values in your current output feel similar to expected output. What is the difference you want to see? Can you give example value of field URI and what you need to extract/convert in the same?
My output:
/v0/providers/codes/list/LANGUAGES
/v0/providers/codes/list/PATIENT_PREFERENCES
/v0/providers/codes/list/PROVIDER_TYPES
/v0/providers/details/byid/#####?sourcesystemid=0
/v0/providers/professionals/search
/v0/providers/specialities/list/C?levelofcareind=false
/v0/providers/specialities/list/C?levelofcareind=true
/v0/providers/specialities/list/L?levelofcareind=false
/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58
/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=372A69
Expected result is
/v0/providers/codes/list
/v0/providers/specialities/list
/v1/caremanagement/utilizationmanagementinquiry/casesummary
You don't want these lines??
/v0/providers/details/byid/#####?sourcesystemid=0
/v0/providers/professionals/search
Hi @karthi2809,
If I am understanding your question correctly you want to extract everything before last /
then you can use regex | rex "(?<URI>.*)\/"
Sample query based on sample data which you have provided below query will extract everything before last /
and after that I am filtering /v0/providers/code/list/
in where
command. First 2 lines in below query used to generate sample data.
| makeresults
| eval _raw="/v0/providers/code/list/LANGUAGE"
| rex "(?<Extracted_URI>.*)\/"
| where Extracted_URI="/v0/providers/code/list"
So your query will be
< your search> | rex field=URI "(?<Extracted_URI>.*)\/" | where Extratced_URI="/v0/providers/code/list"
There are many API i need to extract all the API
/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58490
/v1/caremanagement/utilizationmanagementinquiry/casesummary?id=372A69838
/v0/providers/codes/list/AREA_OF_EXPERTISE
/v0/providers/codes/list/LANGUAGES
/v0/providers/codes/list/PATIENT_PREFERENCES
/v0/providers/codes/list/PROVIDER_TYPES
/v0/providers/details/byid/#####?sourcesystemid=0
/v0/providers/professionals/search
/v0/providers/specialities/list/C?levelofcareind=false
/v0/providers/specialities/list/C?levelofcareind=true
Expected result :
/v1/caremanagement/utilizationmanagementinquiry/casesummary
/v0/providers/codes/list
/v0/providers/specialities/list
Expected Results and Output which you have provided have not consistent unique pattern because in /v1/caremanagement/utilizationmanagementinquiry/casesummary?id=260M58490
this API call you want to extract everything before ?
however /v0/providers/specialities/list/C?levelofcareind=false
in this API call you want to extract everything before /
so can we have unique pattern please ? If not then we can't assume that on which API call you want to extract till which delimiter.