How to write the regex in my search to extract fir...

puneetkharband1 · ‎01-22-2015

Below is the string I need to extract ROM_RAMESH from and similarly there are multiple client info so I need a regular expression and I am very new to that.
I used the extract field but can't get what I need ...

21.432.632.53 - - [14/Jan/2015:13:23:57 -0500] "GET /ROM_RAMESH/images/bg.gif HTTP/1.1" 200 64 - 38E8352722F7ADE88844A3B026752BCC.bgitcostumen1 - - https://cbsplake.boysdtom.com/ROM_RAMESH/BrandHistory.do -

When I use this:

 index="cc_web" sourcetype= * | rex field=_raw "(?i)^(?:[^\-]*\-){6}\s+(?P.+?)\w+\.\w+\s+" | top limit=100 Clients

I get only this as a result
https://cbsplake.boysdtom.com/ROM_RAMESH/

I need
ROM_RAMESH

chanfoli · ‎01-22-2015

If your input is having the built-in httpd access transforms applied, you should have access to the uri_path field and this should work and give you a field called field1:

[your search]| rex field=uri_path "^/(?<field1>[^/]*)/"

If you are not using the access log transforms with this sourcetype then the following should also work for GET and POST requests:

 [your search] | rex field=_raw "(GET|POST)\s/(?<field1>[^/]*)/"

How to write the regex in my search to extract first part of uri path in access logs?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases