Splunk Search

How to validate regex expression?

karthi2809
Contributor

my regex:

s/[^a-z]+\d/####/g

Output:
/v3/securemessages/members654fdfgd2-b2ad545a-b2f2-d545eb545d45/messages/incident4545/reply

Expected output:

/v3/securemessages/members/messages/incident/reply

please help on this.

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

As I mentioned above, try the following regex:

| rex field=yourfield mode=sed "s/(\/[A-Za-z][A-Za-z]+)([^\/]+)?/\1/g"

For example, if I replicate your example in my lab:

| makeresults
| eval foo = "/v3/securemessages/members654fdfgd2-b2ad545a-b2f2-d545eb545d45/messages/incident4545/reply"
| rex field=foo mode=sed "s/(\/[A-Za-z][A-Za-z]+)([^\/]+)?/\1/g"

Output:

alt text

Hope that helps.

Thanks,
J

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

As I mentioned above, try the following regex:

| rex field=yourfield mode=sed "s/(\/[A-Za-z][A-Za-z]+)([^\/]+)?/\1/g"

For example, if I replicate your example in my lab:

| makeresults
| eval foo = "/v3/securemessages/members654fdfgd2-b2ad545a-b2f2-d545eb545d45/messages/incident4545/reply"
| rex field=foo mode=sed "s/(\/[A-Za-z][A-Za-z]+)([^\/]+)?/\1/g"

Output:

alt text

Hope that helps.

Thanks,
J

0 Karma

karthi2809
Contributor

Thanks J
When i used the regex i am getting output like this
/v3/securemessages/members/a#####aae#####b#####e-ae#####e#####aa#####f/categories

Because I have lot URI in my event

so i have query like this below:

index=test_prod| rex field=URI "^(?.+?)(\?|\z)"
| rex field=APIName mode=sed "s/[0-9A-F]{32}/#####/g"
| rex field=APIName mode=sed "s/[0-9]{7}[\w]{2}[\d]{4}/#####/g"| rex field=APIName mode=sed "s/[^a-z]+\d/#####/g"| rex field=APIName mode=sed "s/[0-9]+\d/#####/g" |rex field=APIName mode=sed "s/(\/[A-Za-z][A-Za-z]+)([^\/]+)?/\1/g"
| stats count by APIName Sender

Can you please help on this

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

What do you want to see instead of

/v3/securemessages/members/a#####aae#####b#####e-ae#####e#####aa#####f/categories

All the rex's you are running there in SED mode are basically replacing every match with 5 hashes so if you don't want to see that you can simply leave the second part of your SED pattern empty, as in:

| rex field=APIName mode=sed "s/[0-9A-F]{32}//g" 
| rex field=APIName mode=sed "s/[0-9]{7}[\w]{2}[\d]{4}//g"
| rex field=APIName mode=sed "s/[^a-z]+\d//g"
| rex field=APIName mode=sed "s/[0-9]+\d//g"

But it all looks over complicated to me so again, if you can provide a detailed sample, how it looks initially and your desired output, I might be able to help more.

0 Karma

karthi2809
Contributor

Thanks a lot

There is lot of URL i will send some complicated URI
/v1/utility/hcpcsprocedurecodes/j7q
/v1/utility/hcpcsprocedurecodes/m

/v1/utility/hcpcsprocedurecodes/m7zv

/v1/utility/hcpcsprocedurecodes/m7zz

/v1/utility/revenuecodes/m
/v1/utility/revenuecodes/m7zv
/v3/securemessages/members/afae0-a4ecae9be1/categories
/v3/securemessages/members/afbfc-a7d3-f4afedf/categories
/v3/securemessages/members/bda8eaaa-bdaf1e/messages/incident/reply

Have to remove ' bda8eaaa-bdaf1e','afbfc-a7d3-f4afedf'

0 Karma

ips_mandar
Builder

Hi,
can you try this:

...|rex mode=sed "s/^((\/\w+){2})(\/\D+).*?(\/\w+\/\D+).*?(\/\w+)/\1\3\4\5/g"
0 Karma

splunker12er
Motivator

try this,

.+((?i)members\/).+
0 Karma

javiergn
SplunkTrust
SplunkTrust

@karthi2809, what exactly are you trying to achieve if I may ask?

Do you simply want to get rid of the numbers and symbols from any directory level in your path?
If so, what about v3, does that count too?

See in any case my answer below in case it helps.

0 Karma

ips_mandar
Builder
|rex mode=sed "s/^((\/\w+){2})(\/\D+).*?(\/\w+\/\D+).*?(\/\w+)/\1\3\4\5/g"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...