Splunk Search

How to split and retrieve a value ?

zacksoft
Contributor

I think we may need regex for this and I am not good at it.
I need to be able to extract the last part i.e. (TMNT-1752) from the below string . In some cases the numeric part could be three or more digits too like CMNU-112 or NT=1223 etc or TURC-12223. I think I want the part that comes after selectedIssue=.

https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&selectedIssue=TMNT-1752

Tags (1)
0 Karma
1 Solution

p_gurav
Champion

Hi,

Can you try this :

  | rex field=url "selected\w+=(?<value>(([^\&]+)|(.+)))"

OR

  | rex field=_raw "selected\w+=(?<value>(([^\&]+)|(.+)))"

View solution in original post

0 Karma

nikita_p
Contributor

Hi @,
I think the regex above should work for you but still if it's not you can try below regex.
index=xyz | rex field=url "\"(selected\w+)\"[=]*(?P(([^&]+)|(.+)))\""

0 Karma

p_gurav
Champion

Hi,

Can you try this :

  | rex field=url "selected\w+=(?<value>(([^\&]+)|(.+)))"

OR

  | rex field=_raw "selected\w+=(?<value>(([^\&]+)|(.+)))"
0 Karma

zacksoft
Contributor

Thanks @p_gurav

0 Karma

p_gurav
Champion

Welcome. 🙂

0 Karma

DavidHourani
Super Champion

Hi man,

This should work for you :

  | rex field=url "selectedIssue\=(?<value>[^\&]+)" 

Best regards,
David

0 Karma

zacksoft
Contributor

What if the string I am looking for is between "selected=" and "&"

example : selectedIssue=TWNT1752&
selectedDefect=TMNT1752
selectedGarfi=TMNT1234
selectedEpic=TMNT1234

How do I extract it ?

0 Karma

DavidHourani
Super Champion

Ah from what I read I saw you needed selected issue only.

Simplest form is:

  | rex field=url "selected\w+=(?<value>[^\&]+)" 
0 Karma

p_gurav
Champion

Hi zacksoft,

In example string is "pelectedIkkue=" constant? If yes then you can try below one:

| rex field=_raw "selectedIssue\=(?P<field1>.+)"
0 Karma

zacksoft
Contributor

If I try this , where will it extract TMNT-1752 to ?
I need to able to use the value and put it in a table.

0 Karma

p_gurav
Champion

it will extract into "field1".. which you can use in the search

0 Karma

zacksoft
Contributor

@p_gurav
Actually it's not _raw. The entire string itself is stored in a field caleld "url".
What changes do I make for that ?

0 Karma

p_gurav
Champion

Then used below:

 | rex field=url "selectedIssue\=(?P<field1>.+)"
0 Karma

zacksoft
Contributor

A small change ... I see in some of the strings there are some values that are present after TMNT-1752 and they begin with '&' and that messes up the extract. Can I filter those ?

Example : https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&selectedIssue=TMNT-1752&m...

The current query's output is "TMNT-1752&myReq=1234somethingsomething"

Can we just get the part present between "selectedIssue=" and "&"

0 Karma

p_gurav
Champion

Then try this, It will create field called value which you can use in search:

  | rex field=url "selectedIssue\=(?<value>(([^\&]+)|(.+)))" 

OR

    | rex field=_raw "selectedIssue\=(?<value>(([^\&]+)|(.+)))" 
0 Karma

zacksoft
Contributor

Yes, that is constant. The only value that changes is 'TMNT-1752'. It could be something like ABC-1233 or ABFD-121 etc...

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @zacksoft,

Please try <yourBasesearch> | rex ".*=(?<value>.*)" this will extract TMNT-1752 into new field value

Here is run anywhere search, first 2 lines generating dummy data only.

| makeresults 
| eval _raw="https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&pelectedIkkue=TMNT-1752" 
| rex ".*=(?<value>.*)"
0 Karma

zacksoft
Contributor

There is another "=" sign before "rapidView". But I don't want that value. I only want the last one that comes after 'selectedIssue='

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Can you please post your full event instead of part of event so that we can write regex properly.

0 Karma

zacksoft
Contributor

The string itself is extracted from _raw and stored in a field called 'url'.
And url field is as follows. I need the string that is present after 'selectedIssue='

https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&selectedIssue=TMNT-1752"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...