topic Re: How to extract API name from below URL field in Splunk, in Splunk Search

How to extract API name from below URL field in Splunk,

ravimishrabglr — Wed, 11 Dec 2019 06:37:59 GMT

U="/my-web/services/v1/2/cartMetadata"
U="/my-web/services/v1/2/cartMetadata/delivery"
U="/my-web/services/v1/cps/getContent/8efa90da34cb4046ae0c65b2935ff5bc"

Trying using : ^(?:[^/\n]*/){5}(?P\w+) but getting result as-

cartMetadata
getContent

But I want this-
cartMetadata
delivery
getContent

Please help.

Re: How to extract API name from below URL field in Splunk,

richgalloway — Wed, 11 Dec 2019 13:05:20 GMT

What are the rules for deciding where the API name is? Your regex extracts the fifth element of the URL, but your desired results call for either the 5th or 6th. What is the determining factor?

Re: How to extract API name from below URL field in Splunk,

gf13579 — Wed, 11 Dec 2019 22:00:57 GMT

This feels hacky and wrong, but it works with your sample data and required outcome:

\/(?<api_name>[^\/]+)(\/([a-z0-9]{32})|$)

It works on the basis that you might have a 32 character hex string at the end, or might not - but you don't care what it is.

As per comments from @richgalloway above, it's unclear what the rules should be for determining the value you're after.

Here's that regex in action:

| makeresults
| eval U = "/my-web/services/v1/2/cartMetadata /my-web/services/v1/2/cartMetadata/delivery /my-web/services/v1/cps/getContent/8efa90da34cb4046ae0c65b2935ff5bc"
| makemv delim=" " U | mvexpand U
| rex field=U "\/(?[^\/]+)(\/([a-z0-9]{32})|$)"

Re: How to extract API name from below URL field in Splunk,

ravimishrabglr — Wed, 30 Sep 2020 03:22:06 GMT

@richgalloway I want last part of the url, if it has 32 digit id in the last then ignore it and get second last part.
I tried regex as per @gf13579 in my below query but it is returning getContent ONLY. please help me if my query is right. U is the field here and i am trying to create a board to show latency of all APIs.

index="myIndex" host="myApp" source="mySource" sourcetype="mySourceType" (MTHD="POST" OR MTHD="GET") | rex field=U "\/(?[^\/]+)(\/([a-z0-9]{32})|\"$)" |
dedup CR,RE | stats count as TotalReq, min(D) as Min, max(D) as Max, avg(D) as Avg, perc95(D) as P95, perc98(D) as P98, perc99(D) as P99 by ApiName, MTHD | addinfo |
eval range = info_max_time - info_min_time | eval TPS=round(TotalReq/range,2) | eval Avg=round(Avg,2) |
fields ApiName, MTHD, TotalReq, TPS, Min, Max, Avg, P95, P98, P99

Re: How to extract API name from below URL field in Splunk,

ravimishrabglr — Thu, 12 Dec 2019 06:11:06 GMT

@gf13579 Thanks for the answer! I feel it is very close, could you please have a look in my comment in the question for more detail.

Re: How to extract API name from below URL field in Splunk,

gf13579 — Thu, 12 Dec 2019 06:13:12 GMT

| makeresults
| eval U = "/my-web/services/v1/2/cartMetadata /my-web/services/v1/2/cartMetadata/delivery /my-web/services/v1/cps/getContent/8efa90da34cb4046ae0c65b2935ff5bc"
| makemv delim=" " U | mvexpand U
| rex field=U "\/(?[^\/]+)(\/([a-z0-9]{32})|$)"

Re: How to extract API name from below URL field in Splunk,

gf13579 — Thu, 12 Dec 2019 06:13:49 GMT

I updated it based on your clarification that U is the field name rather than U= being part of the value

Re: How to extract API name from below URL field in Splunk,

gf13579 — Thu, 12 Dec 2019 06:15:39 GMT

Re: How to extract API name from below URL field in Splunk,

vnravikumar — Thu, 12 Dec 2019 07:02:21 GMT

Give a try, based on length 32 i ignored last part

| makeresults 
| eval U = "/my-web/services/v1/2/cartMetadata /my-web/services/v1/2/cartMetadata/delivery /my-web/services/v1/cps/getContent/8efa90da34cb4046ae0c65b2935ff5bc" 
| makemv delim=" " U 
| mvexpand U 
| makemv delim="/" U 
| eval API  = if(len(mvindex(U,mvcount(U)-1))==32,mvindex(U,mvcount(U)-2),mvindex(U,mvcount(U)-1))

Re: How to extract API name from below URL field in Splunk,

ravimishrabglr — Thu, 12 Dec 2019 10:18:21 GMT

Thank you @gf13579 it worked!!! I will Accept the answer.