Re: How extract URI using regex?

karthi2809 · ‎01-15-2018

I need to extract fields which mentioned in yellow?

esix_splunk · ‎01-15-2018

You can try the following...

(?<capture1>\/(\w+\/){3})\d+\/(?<capture2>\w+)\/.*\/(?<capture3>\w+)

In SPL...

| makeresults 
| eval URI="/v1/cp/members/257425525/benefits/999F-20180101-20181231-MED/excluded" 
| rex field=URI "(?<capture1>\/(\w+\/){3})\d+\/(?<capture2>\w+)\/.*\/(?<capture3>\w+)"

This will work for up to the third iteration. If you need to keep capturing, you can keep adding to that regex...

mayurr98 · ‎01-15-2018

hey

you can try this run anywhere search

| makeresults | eval URI="/v1/cp/members/257425525/benefits/999F-20180101-20181231-MED/excluded" | rex field=URI "(?<first>^\/[^\/]+\/[^\/]+\/[^\/]+)\/[^\/]+\/(?<second>\w+)"

In your environment, you should write

 <base_search> | rex field=URI "(?<first>^\/[^\/]+\/[^\/]+\/[^\/]+)\/[^\/]+\/(?<second>\w+)"

let me know if this helps!

karthi2809 · ‎01-15-2018

Hi mayurr

Thanks for you valuable answer but i send sample URI .there is lot of URI like this how can we extract using mode=sed

mayurr98 · ‎01-15-2018

try this!
If you want to capture say benefits and excluded in one event then try this!

 | rex field=URI max_match=0 "(MED|\d{2,})\/(?P<sec>\w+)"

OR
if you want in three different field then use this

| rex field=URI "(?<first>^\/[^\/]+\/[^\/]+\/[^\/]+)\/[^\/]+\/(?<second>\w+)\/.*\/(?<Third>\w+)"

How extract URI using regex?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases