Solved: Regex expression

xvxt006 · ‎07-16-2013

Hi

I have events like this and i am using the below expression to extract the command before query string.

sourcetype="access_combined_wcookie" host=prlws*  | rex field=uri "(?P<command>\w+)" | top limit=50 command

But it is capturing gcom as it has . after gcom.suggestions.json. Is there way to capture the whole thing meaning gcom.suggestions.json

167.234.83.253 - - [16/Jul/2013:17:47:44 -0500] "GET /gcom.suggestions.json?selectedText=5GKA2*&start=0&count=Infinity HTTP/1.1" 200 

167.234.83.254 - - [16/Jul/2013:17:47:52 -0500] "GET /GenericController?action=getSecurityToken&domain=new.grainger.com&_=1374014869039 HTTP/1.1" 200

gfuente · ‎07-16-2013

Hello

Try with this regex:

...| rex field=uri "(?P< command >(\w+|\.)+)" | ...

*Remove blanks before and after command

Regards

View solution in original post

gfuente · ‎07-16-2013

Hello

Try with this regex:

...| rex field=uri "(?P< command >(\w+|\.)+)" | ...

*Remove blanks before and after command

Regards

xvxt006 · ‎07-18-2013

Thank you. It worked !!!

Regex expression

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...