Home > Enterprise >  What is the best way to specify/access a specific item in a delimited field in Splunk?
What is the best way to specify/access a specific item in a delimited field in Splunk?

Time:03-05

I'm very new to regex and such, I have tried to look for a similar answer but nothing jumping out to me.

I'm trying to refine searches in Splunk using a regex. Is there any way that I can define delimited fields and only focus on that area? For example:

hxxps://example.com/examplefolder/examplestring/

I wanted to match conditions only within <examplestring> field, I understand that using $ will set the end of the string however I need to only match if it is the 'fourth' field from the start of the string, if the delimiter was '/'

So far I am just using \/[a-zA-Z0-9]{10,15}\/$ to match characters between 10 and 15 in length, it matches based on that last field but other entries match this such as:

hxxps://example.com/examplestring2/

Is there a recommendation as to how I can use regex to focus the matching to a set 'field' (field4) of the string using '/' as a delimiter please?

hxxps:/<field1>/<field2>/<field3>/<field4>/<field5>

I have confused myself just trying to explain what I'm after so please feel free to probe me I'm making no sense.

CodePudding user response:

You might consider using a combination of the eval functions split and mvindex:

index=ndx sourcetype=srctp url=*
| eval url_parts=split(url,"/")
| eval segment=mvindex(url_parts,4)

Page link:https//www.codepudding.com/Enterprise/323982.html

Prev:RegEx negation to handle decimal values in Pandas dataframe using .replace()
Next:how to change the list i'm saving my values after each loop?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding