Hi
I have events like this and i am using the below expression to extract the command before query string.
sourcetype="access_combined_wcookie" host=prlws* | rex field=uri "(?P<command>\w+)" | top limit=50 command
But it is capturing gcom as it has . after gcom.suggestions.json. Is there way to capture the whole thing meaning gcom.suggestions.json
167.234.83.253 - - [16/Jul/2013:17:47:44 -0500] "GET /gcom.suggestions.json?selectedText=5GKA2*&start=0&count=Infinity HTTP/1.1" 200
167.234.83.254 - - [16/Jul/2013:17:47:52 -0500] "GET /GenericController?action=getSecurityToken&domain=new.grainger.com&_=1374014869039 HTTP/1.1" 200
Hello
Try with this regex:
...| rex field=uri "(?P< command >(\w+|\.)+)" | ...
*Remove blanks before and after command
Regards
Hello
Try with this regex:
...| rex field=uri "(?P< command >(\w+|\.)+)" | ...
*Remove blanks before and after command
Regards
Thank you. It worked !!!