log are below..
1 request_uri=/bbs/zboard.php?id=qna&page=177&page_num=20&category=&sn=off&ss=on&sc=on&keyword=&prev_no=1133&sn1=&divpage=1&select_arrange=headnum&desc=asc&tag=
2 request_uri=/bbs/view.php?id=reports&no=37
3 request_uri=/search.php
4 request_uri=/bbs/view.php?id=techdocs&no=74
5 request_uri=/
6 request_uri=/search.php?lang=ko&sa=0&ss=1&sc=1&operator=0&keyword=%C0%DA%BF%F8+%C7%D2%B4%E7
7 request_uri=/bbs/view.php?id=freeboard&page=5&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=hit&desc=desc&no=363
.
.
splunk made a field "request_uri" automatically, but that is not what I want.
splunk doesn't show full "request_uri".
the log are not only 1 form..as you can see, the log are various..so it is hard to make "regular expression".
please help me..
Hi hylee
if I get you correct, you want the field request_uri to be everything after the = sign. If so you can use this regex for example:
(?<=request_uri\=)(?<request_uri>.*)
this matches everything after request_uri=
, hope this helps.
Cheers, MuS
btw, http://gskinner.com/RegExr/ is a perfect regex playground to learn