2

I'm very new to regex and such, I have tried to look for a similar answer but nothing jumping out to me.

I'm trying to refine searches in Splunk using a regex. Is there any way that I can define delimited fields and only focus on that area? For example:

hxxps://example.com/examplefolder/examplestring/

I wanted to match conditions only within <examplestring> field, I understand that using $ will set the end of the string however I need to only match if it is the 'fourth' field from the start of the string, if the delimiter was '/'

So far I am just using \/[a-zA-Z0-9]{10,15}\/$ to match characters between 10 and 15 in length, it matches based on that last field but other entries match this such as:

hxxps://example.com/examplestring2/

Is there a recommendation as to how I can use regex to focus the matching to a set 'field' (field4) of the string using '/' as a delimiter please?

hxxps:/<field1>/<field2>/<field3>/<field4>/<field5>

I have confused myself just trying to explain what I'm after so please feel free to probe me I'm making no sense.

warren
  • 32,620
  • 21
  • 85
  • 124
Sparky-Parky
  • 23
  • 2
  • 2
    The way is to start the pattern with `^` and describing the "three first fields" and then to build the description of your fourth field with a subpattern that forbids the character `/`. Something like `^http://(?:[^/]*/){3}/yoursubpattern` – Casimir et Hippolyte Mar 02 '22 at 17:08
  • 4
    Try not to ask how to do so and so *using x* (in this case *Regex*). *X*, or *Regex*, may not always be the best way to approach your problem to begin with. Have you considered just splitting the string on `'/'` and taking the 4th or 5th index? – maraaaaaaaa Mar 02 '22 at 20:55

1 Answers1

2

You might consider using a combination of the eval functions split and mvindex:

index=ndx sourcetype=srctp url=*
| eval url_parts=split(url,"/")
| eval segment=mvindex(url_parts,4)
warren
  • 32,620
  • 21
  • 85
  • 124