How do I match all data after the last slash using...

harikishore23 · ‎11-27-2018

Hi,

I'm trying to retrieve data using regex and wildcard.

Search query -  "URL=/data/item/v1/*/"

Result 1 - /data/item/v1/1234/on
Result 2 - /data/item/v1/1234

I want to all data between the asterix, but not after the last slash.

I'm using this regex currently, but it doesn't work.

Got the following error - Error in 'rex' command:

The regex '^(.*[\\/])' does not extract anything. It should specify at least one named group. Format: (?...).

rex field=URL "^(.*[\\\/])"

Regex works fine here - regexr . com / 43r9n

woodcock · ‎11-28-2018

Like this:

| makeresults | eval URL="/data/item/v1/1234/on:::/data/item/v1/1234"
| fields - _time
| makemv delim=":::" URL
| mvexpand URL

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex field=URL "^(?:\/[^\/]+){3}\/(?<foo>.*)(?:\/[^\/]*)?"

dkeck · ‎11-27-2018

As said in the error you are missing a named group

You have to specify the name of the field you want to extract the data to

syntax (?<name_of_field>)

Try ^(?<name_of_field>.*[\\\/])

Kind Regards

dkeck · ‎12-06-2018

Please accept if this helped

harikishore23 · ‎11-27-2018

Hi,

I'm getting the following error when using using this search pattern with your code.

| rex field=URL "^(?.*[\\/])"

Encountered the following error while compiling the regex '^(?.*[\/])': Regex: unrecognized character after (? or (?-

Thanks.

dkeck · ‎11-27-2018

sry I did not use the code sample so my answer got changed:

^(?<name_of_field>.*[\\\/])

try this

ddrillic · ‎11-28-2018

It works ; -) you can try -

index=<any index>
| eval _raw="/data/item/v1/1234/on"
| rex field=_raw "^(?<name_of_field>.*[\\\/])"

ddrillic · ‎11-28-2018

A cute demonstration of the greediness of this regular expression ; -)

How do I match all data after the last slash using regex?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!