topic Re: Interesting regex in Splunk Search

Interesting regex

dbcase — Mon, 15 Oct 2018 20:31:37 GMT

Hi,

I have the below data and looking to determine the API call name .

For the first one the name would be

alarmSessions

The follow the same pattern until the 4th one. The API name in that one is

actionTemplate

Also sometimes the /rest/icontrol will be /rest/async/icontrol or /restOperation/(whatever)

Any regex gurus out there that can help with with one??

Thank you!!!

10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.72.114, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/239466/alarmSessions?maxResults=1 HTTP/1.1" 200 360 0 UCT-9178 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 maxResults =   1 timeendpos =  105 timestartpos =  79
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "174.238.30.224, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/async/icontrol/sites/607321/deltas?spsId=55056 HTTP/1.1" 200 1574 0 UCT-1794 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16A366" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 spsId =    55056 timeendpos =  106 timestartpos =  80
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.22.161, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/244140/cmsInfo HTTP/1.1" 200 970 0 UCT-31983 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G935T Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   105 timestartpos =  79
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.5 "107.77.197.229, 10.210.192.5" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/158424/templates/actionTemplates HTTP/1.1" 200 3374 0 UCT-60344 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-N950U Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   104 timestartpos =  78
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.22.161, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/244140/rules HTTP/1.1" 200 1694 0 UCT-131279 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G935T Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   105 timestartpos =  79
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.73.206, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "POST /rest/icontrol/sites/612724/network/instances/13b0ce18140337362f.1.0/points/isOn?value=false HTTP/1.1" 202 9 0 UCT-37015 "-" "Mozilla/5.0 (Linux; Android 7.1.1; SM-J700T Build/NMF26X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   105 timestartpos =  79 value =  false
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "107.77.197.229, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/158424/templates/actionTemplates HTTP/1.1" 200 3374 0 UCT-52230 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-N950U Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"

Re: Interesting regex

Vijeta — Mon, 15 Oct 2018 22:24:37 GMT

Try this for GET

 rex field=_raw "GET \W+\w+\S+\d+\W+(?<text>\w+)\?"

Re: Interesting regex

MuS — Mon, 15 Oct 2018 22:25:41 GMT

Hi dbcase,

Not that I'm an regex expert 😉 But give this a try, it worked on your provided samples:

 ... | rex "\/(?<myREST>\w+)(?:\?.+|\s)HTTP"

This will give you a field called myREST with values like alarmSessions, isOn or cmsInfo.

Hope this helps ...

cheers, MuS

Re: Interesting regex

gjanders — Mon, 15 Oct 2018 22:31:02 GMT

I started with:

| rex "/rest(Operation)?/([^/]+/){4}(?P<thefieldname>[^/? ]+)"

But I don't have enough info on what your trying to match here, I mean if icontrol is always there then:

| rex "/rest(Operation)?/icontrol/([^/ ]+/)+(?P<thefieldname>[^/? ]+)"

Either way I think you need more examples to truly make this work...try those two on https://regex101.com/

Re: Interesting regex

wrangler2x — Mon, 15 Oct 2018 22:58:06 GMT

... | rex "sites\/\d+\/(?:templates\/)?(?<APIcall>[^?\s]+)"

Returns these results for APIcall:

Match 1
Group APIcall 160-173 alarmSessions
Match 2
Group APIcall 730-736 deltas
Match 3
Group APIcall 1284-1291 cmsInfo
Match 4
Group APIcall 1863-1878 actionTemplates
Match 5
Group APIcall 2442-2447 rules
Match 6
Group APIcall 3013-3065 network/instances/13b0ce18140337362f.1.0/points/isOn
Match 7
Group APIcall 3667-3682 actionTemplates

Your intro made it look to me like you wanted everything after sites/somenumber except in the 4th you specifically said the result should be actionTemplate so I skipped /templates/. However, you did not say that #6 should be just isOn so I include the longer result for that one. If you wanted just what MuS returned, you are also all set.