Filed transformation / regex help

jdziedzic · ‎06-10-2014

I could use some help creating a field transform. A sample log entry:

192.168.2.1 Bubba Joe [10/Jun/2014:13:34:26 -0400] "POST /search/sitewide-auasd/?q=asd HTTP/1.0" 200
192.168.3.1 Frank Joe [10/Jun/2014:14:34:26 -0400] “GET /ican’t/believe/buterr$qw387 HTTP/1.0" 200
192.168.4.1 June Joe [10/Jun/2014:15:34:26 -0400] "POST /jasper/heafty/trash/ HTTP/1.0" 200

Here’s what I am using for the transform:

regex:
([^\s]+) ([^\s]+) ([^\s]+) \[([^\]]+)\] \"([^\s]+) ([^\s]+) ([^\s]+) ([^\s]+) ([^\s]+)
format:
ip::"$1" first_name::”$2" last_name::"$3" date::"$4" method::"$5" uri::"$6" httpvers::"$7" status::"$8"

This does the job but what I need is to have the uri get everything between the first “/“ and the last “/“. I need to NOT get data left of the last “/“.
Example (using the log sample):
I want the uri to return this:

/search/sitewide-auasd
/ican’t/believe
/jasper/heafty/trash

Ayn · ‎06-11-2014

REGEX = (\S+) (\S+) (\S+) \[(.+?)\] "(\S+) (.+)/\S+ ([^"]+)" (\d+)
FORMAT = ip::"$1" first_name::”$2" last_name::"$3" date::"$4" method::"$5" uri::"$6" httpvers::"$7" status::"$8"

Filed transformation / regex help

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?