AbsoluteUri=https://website.api.net/hch6348/relay/6bcb449b-7d85-4f71-a6f4-fae37808627f-udcc1.crp.hs.com/script/w...
AbsoluteUri=https://website.api.net/hch6348/health
I have a field with a uri that looks like either of the above. I want to extract the word "relay" or "health" from the url into a field called apiEndpoint.
I've tried piping the field into this regex, but I cannot get it right: | rex "AbsoluteUri\":\"((\/.+?)(\/.+?)?<apiEndpoint>\/?)"
I have not been able to find an example like this on the Splunk forums. Any help would be appreciated
This should do it.
... | rex "AbsoluteUri=https:\/\/[^\/]+\/[^\/]+\/(?<apiEndpoint>[^\/]+|$)"
Also, the URL Toolbox app may be helpful.
This should do it.
... | rex "AbsoluteUri=https:\/\/[^\/]+\/[^\/]+\/(?<apiEndpoint>[^\/]+|$)"
Also, the URL Toolbox app may be helpful.
Thank you so much! This worked perfectly for me. Accepted answer
As far as the URL toolbox, I don't have control over my company's Splunk deployment, so I can't install that. It does seem very helpful though, I've seen it recommended a ton of places
Try this
| rex field=AbsoluteUri "https://\w+.\w+\w/\w+/(?<uri>[^(\/)|(\s)]+)" | table uri
I'm sorry, this didn't work for me. I accepted richgalloway's answer.