Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex with forward slash character

Keyrl
Explorer
‎01-27-2017 07:04 AM

Hi,

I'm trying to extract to fields from a precalculated field and so far I've trouble with the forward slash character.
My field is formed like this:

FieldGlobal=Field1/Field2

I've tried the following : rex field=FieldGloba "(?[a-zA-Z0-9]+)\/(?[a-zA-Z0-9]+)"

So far, it works for a lot of logs but for some, it gave something like:

FieldExtracted1=Field1%2fField2

Do you know how to work with that ?

Regards

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Keyrl
Explorer
‎01-27-2017 08:08 AM

I got my problem ...
The logs I was trying to parse was Internet access logs.
I was trying to separate the Mime Type field precalculated which was formed like this:
mt=video/mp4 for example.

My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"|

And ... I discover that some logs include in the URL the "mime" value ...
So the treatment I was trying to do was also based on this value ...

I've corrected the name of the extracted field and it's working fine ...

Thanks a lot for your help !!!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Keyrl
Explorer
‎01-27-2017 08:08 AM

I got my problem ...
The logs I was trying to parse was Internet access logs.
I was trying to separate the Mime Type field precalculated which was formed like this:
mt=video/mp4 for example.

My extraction was: rex field=mt "(?[a-zA-Z0-9]+)/\//(?[a-zA-Z0-9]+)"|

And ... I discover that some logs include in the URL the "mime" value ...
So the treatment I was trying to do was also based on this value ...

I've corrected the name of the extracted field and it's working fine ...

Thanks a lot for your help !!!!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 08:38 AM

Glad things are working for you now. You can accept your own answer to make this question as resolved.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 07:35 AM

Give this a try

your base search | rex field=FieldGloba "(?<FieldExtracted1>[^\/]+)\/(?<FieldExtracted1>.+)"
0 Karma
Reply
Solved! Jump to solution

Keyrl
Explorer
‎01-27-2017 07:40 AM

Thanks for your help !

Same result apparently. I still have the "/" character that seems to be converted as %2F in some logs ...

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 07:42 AM

I guess the raw data itself contains the that forwarder slash converted to %2F. So how about this?

your base search | rex field=FieldGloba "(?<FieldExtracted1>.)(\/|%2F)(?<FieldExtracted1>.+)"
0 Karma
Reply
Solved! Jump to solution

Keyrl
Explorer
‎01-27-2017 07:52 AM

Mmhhh already tried it and it's even worse 🙂
I don't understand why as it should match ...

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-27-2017 07:56 AM

Well at this time, I would ask for sample events (scrub any sensitive information) for both scenarios ( where it's working and where it's not).

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...