First fyi, i have searched answers and am having an issue finding something that works. I am an end user (and a newbie) to Splunk and have data from a log looking like this (snippet):
{\\\"routepoint\\\":\\\"1234567890\\\",\\\"prefix\\\":\\\"\\\",
I want to pull field called "routepoint" with the value 1234567890.
I tried:
rex field=_raw "\"routepoint\\\\\\\":\\\\\\\"(?<routepoint>\d+)\\\\\\\""
and then tried to do a | table routepoint but it isn't working.
Hoping there is a better way of extracting this field. Thanks in advance for helping this newbie!
Beachsandguy
Related
I have values like this one in my db
ale
I would like to get the result ale when I query for alexander
I tried to do it like this, new MongoRegex("/^alexander/i") but no luck, how can i overcome this issue and get the result ale when I query for alexander
I am trying to do url matching system, when a user sets matching for asd.com/cat I have to match asd.com/cat/car and asd.com/cat/home, etc. I am trying to accomplish this, thank you
If I understood correctly, you need to match any url wit same form up to last slash. Im afraid you will have to do it in two steps. Fisrt isolate the first part of url with
.*\/
this will match asd.com/cat/ . And then you can search for this string with anything after it.
^asd.com/cat/.*
I have some data that I need help cleaning up. For some reason, tracking params are being stored within the database so what is the best way to extract the search query minus the tracking params using regex? I need to extract the following search queries:
things to do
las vegas
airport parking
from the following data:
{"query":"things to do","prefilteredchannel":"gpse
{"query":"las vegas","prefilteredchannel":"gpsea
{"query":"airport parking
I've tried a few things but I can only match the things I don't care about and I don't know how to just extract the search query. I'm new to this so any help would be appreciated.
Any ideas on how to make this work with the Platfora regex_replace:
http://documentation.platfora.com/webdocs/index.html#reference/expression_language/function_regex_replace.html
use this regex . its quite simple
{"query":"([^"]*)(?:"|$)
See demo here regex101
You can use following:
\{"query":"([^"]*|$)
It will match the query value until " is encountered or end of string (whichever comes first).
Demo
I am attempting to parse some logs to get the specific catalog numbers for the items viewed. I have broken out all the necessary fields and am now parsing the referer field to get the catalog id of the page viewed.
The strings are in the following formats:
/catalog/AAA1111111
/catalog/BBB-22222-1/
/catalog/CCC-333333/XXX
http://url/catalog/DDD-44444444
http://url/catalog/EEE-555555555/ZZZ
I am using the following regex to strip out the catalog id:
.*\/catalog\/([^\/]+)
The problem is that I cannot stop the regex from grabbing everything after the next forward slash. It looks like it is to greedy?
The results are:
AAA1111111
BBB-22222-1/
CCC-333333/XXX
DDD-44444444
http:EEE-555555555/ZZZ
I've been banging my head on this one for a couple of hours.
I am just looking for a regex that will split out just the catalog id (the string after catalog/.)
Can anyone help guide this old coder in the proper direction?
Many thanks.
using sed
cat catalogs | sed -E 's/.*\/catalog\/([^/]+)\/?.*/\1/g'
results in
AAA1111111
BBB-22222-1
CCC-333333
DDD-44444444
EEE-555555555
note the only modification is matching the trailing stuff
Why using a regex when you can split on "/catalog/", take the last item then split on "/" and take the 1st item ?
In Python, this could be done like this :
line.split('/catalog/')[-1].split('/')[0]
Just wanted to point out that regexp are not the solutions for every string parsing problems.
Often, when you're faced to "greedy" parsing, doing a "manual" modification before using regexp helps
I'm relatively new to regex and in order to set up a goal in Google Analytics, I'd like to use a regular expression to match a URL containing both "thank-you" and "purchaseisFree=False" but exclude two specific rate plans that are represented in the URL as "productRatePlanID=5197e" and "productRatePlanID=c1760".
Here is a full URL example:
https://www.examplepage.com/thank-you?productRatePlanId=5197e&purchaseIsFree=False&grossTotal=99.95&netTotal=99.95&couponCode=&invoiceNumber=INV00000589
I tried using this post as a model and created this regex:
\bthank-you\b.+\purchaseIsFree=False\b(?:$|=[^c1760]|[^5197e])
However, I'm not getting the desired results. Thanks in advance for any suggestions.
I think the below mentioned regex should solve your problem. It uses the positive|negative look ahead facility. We can sit at the beginning of http[s] and check all the three condition and then engulp the whole tree
(https?:\/\/)(?=.*?productRatePlanId=(?!5197e&)(?!c1760&))(?=.*?thank-you)(?=.*?purchaseisFree=False).*
Note:- I have used & after the productRatePlanId values just to ensure it doesnt ignore other values as 5197f, 5198d and all other sorts of values.
I'm currently having some trouble wrapping my head around regular expressions, which is where I hope some of you regex guru's out there might be able to assist with.
I'll briefly explain my problem with an example of what I am trying to achieve.
I have an input string, with a key and value I am looking for, which look somewhat like this:
G01::Notice ((The customer already exists))
G01::MyNotice ((The customer already exists, nevermind...))
G02::OrderConfirm ((The order has been comfirmed!
Please inform the customer that his orders will arrive soon.))
In the above examples, I would like to get everything for G01:: which is enclosed within the parentheses. So my pattern is
Looking at the three input strings, I should add a few notices:
I am not sure if your question is complete ...
Is it this what you want?
G01::[^(]*\(\(([^)]*)
See it here on Regexr. The text within the brackets is in the capture group 1.
Try this regex: G01::\w+ \(\((.*?)\)\)
Not a complete question, but how about this one?
.*\((.*?)\)
Result 1
The customer already exists
Result 2
The customer already exists, nevermind...
Result 3
The order has been comfirmed! Please inform the customer that his orders will arrive soon.
On rubular
G01.*\(\((.*)\)\) seems to work (unless I misunderstood your question).