Hi People,
I am trying to run a regex command to cut out a part of the REQ field,
On regex 101 it is working fine, however on Splunk it is causing problems and i get an unknown search command error
Here is the query i am using,
index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST"
NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src]
| rename DIP as src, SIP as src CUST as username USR as username
| rex field=_raw REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\"
| search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*"
| stats count by page
I do not want the regex command to cut out pages with numbers in them, so i've included [^0-9] in there which works on regex 101 but Splunk does not like it, even when i use a backslash to block it out but it still doesn't pull out the data,
I've also tried using
index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST"
NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src]
| rename DIP as src, SIP as src CUST as username USR as username
| rex field=_raw REQ\=\".*\/(?<page>[a-zA-Z_]+(\.jsp)?)\/?\"
| search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*"
| stats count by page
but this gives me the unknown search command :a error
Any help would be greatly appreciated,
Thanks
Hi ssjabid,
did you tried with quotes in rex command?
| rex "REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\""
Optiion field=_raw isn't important.
Bye.
Giuseppe
The rex command requires quotation marks around the regex expression.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex#Required_arguments
Hi ssjabid,
did you tried with quotes in rex command?
| rex "REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\""
Optiion field=_raw isn't important.
Bye.
Giuseppe
Managed to get it working 🙂 this did help! thank you!
@ssjabid
Can you please share sample data???
REQ="././././switches" EVC="EVT_TRACE" EID="securityfilter.request" DIP="" CLS="" 4ReqURI="///*/api/v1/switches"
so i am trying to capture the switches part in REQ however sometimes when a log appears with a number would appear instead, i would like to ignore that, but [^0-9] doesn't happen to work