topic Re: regexp in Splunk in Getting Data In

regexp in Splunk

laurentiugrama — Tue, 31 Aug 2021 07:04:28 GMT

I tried to find a solution in order to parse some URL to obtain the base but it seems that I cannot succeed.

For the between GET/POST and HTTP I want to return the baseurl as in the examples below

GET /gw/api/aaa/v1/ HTTP - to return /gw/api/aaa/v1
GET /gw/api/abc/v3 HTTP - to return /gw/api/abc/v3
POST /gw/api/cba/ HTTP - to return /gw/api/cba
POST /gw/transactions/swaggers/v2 HTTP - to return /gw/transactions/swaggers/v2
POST /gw/api/swaggers/v1/asd?dssa HTTP - to return /gw/api/swaggers/v1/asd
POST /api/swaggers/ HTTP - to return /api/swaggers
GET /api/cashAccountOpenings/v3/sadsa-123312-1312 HTTP - to return /api/cashAccountOpenings/v3

I added this examples to regex101.com to be easier to find a solution.

https://regex101.com/r/oLXtw8/1/

Re: regexp in Splunk

gcusello — Tue, 31 Aug 2021 07:21:19 GMT

Hi @laurentiugrama,

sorry, what's the question?

the regex seems to be correct, even if I'd use an easier regex:

[GET|POST]\s(?<URL>.+)\s+(HTTP)

Ciao.

Giuseppe

Re: regexp in Splunk

laurentiugrama — Tue, 31 Aug 2021 07:27:56 GMT

Thank you for the response but the expression returns URL not baseurl

As I said, I trayed to obtain the baseurl from an url

Re: regexp in Splunk

gcusello — Tue, 31 Aug 2021 07:34:15 GMT

Hi @laurentiugrama,

sorry but I don't understand: what do you mean with baseurl?

the name of the field or a part of the URL?

If you want the name of the field you can modify the regex:

| rex "[GET|POST]\s(?<baseurl>.+)\s+(HTTP)"

if instead you want a part of the URL, e.g. the first two sections, you could use something like this:

| rex "[GET|POST]\s(?<baseurl>\/\w+\/\w+\/)\s+(HTTP)"

Ciao.

Giuseppe

Re: regexp in Splunk

laurentiugrama — Tue, 31 Aug 2021 07:48:15 GMT

In the first post I explained what is the URL and what I want to obtain from regext

for first line the url is /gw/api/aaa/v1/ and the baseurl is /gw/api/aaa/v1

GET /gw/api/aaa/v1/ HTTP - to return /gw/api/aaa/v1
GET /gw/api/abc/v3 HTTP - to return /gw/api/abc/v3
POST /gw/api/cba/ HTTP - to return /gw/api/cba
POST /gw/transactions/swaggers/v2 HTTP - to return /gw/transactions/swaggers/v2
POST /gw/api/swaggers/v1/asd?dssa HTTP - to return /gw/api/swaggers/v1/asd
POST /api/swaggers/ HTTP - to return /api/swaggers
GET /api/cashAccountOpenings/v3/sadsa-123312-1312 HTTP - to return /api/cashAccountOpenings/v3

Re: regexp in Splunk

gcusello — Tue, 31 Aug 2021 08:07:40 GMT

Hi @laurentiugrama,

ok, sorry for the misunderstanding!

Please try this:

Ciao.

Giuseppe

Re: regexp in Splunk

laurentiugrama — Wed, 01 Sep 2021 07:55:13 GMT

Your solution it works well.

Do you think that it's possible to have a solution based on only one regexp iteration ?

Re: regexp in Splunk

gcusello — Wed, 01 Sep 2021 08:44:09 GMT

Hi @laurentiugrama,

probably it's possible, I'll try tomorrow (today I'm out!).

Ciao and happy splunking.

Giuseppe

Re: regexp in Splunk

PickleRick — Wed, 01 Sep 2021 19:33:23 GMT

(?<method>\S+)\s(?<path>/[^?]*)(\?(?<query>\S*))?

Typing on my phone, didn't verify it 😉