Solved: How to extract a text from a field

nirmalya2006 · ‎07-15-2016

Hi All

I have a field which has urls in this pattern

GET /echo/index?page=content&id=PRO19579&viewlocale=es_ES HTTP/1.1  
GET /echo/index?page=relatedLinks&id=PRD1296&viewLocale=null&channel=REFERENCE&_=1454507716347 HTTP/1.1

I have to extract only the part between 'page' and '&' ie 'content' and 'relatedLinks' from it.
I tried to extract it using substr and rtrim but I am unable to trim contents after &.
My search string is

| eval URL = substr(field7,17) | eval URL = rtrim(URL,"^\\&.*")

After using substr my result is

page=content&id=PRO19579&viewlocale=es_ES HTTP/1.1
page=relatedLinks&id=PRD1296&viewLocale=null&channel=REFERENCE&_=1454507716347 HTTP/1.1

But the rtrim function is not at all working to remove the text with and after &.

Please help.

sundareshr · ‎07-15-2016

Use rex instead

... | rex "page=(?<page>[^&]+)" | table page

View solution in original post

sundareshr · ‎07-15-2016

Use rex instead

... | rex "page=(?<page>[^&]+)" | table page

How to extract a text from a field

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!