topic How to search multiple values using wildcard in a field? in Splunk Search

How to search multiple values using wildcard in a field?

nbhat — Thu, 28 Apr 2022 20:50:43 GMT

I am producing some stats in splunk but I want to extract data for about 10 uri_method instead of 100s currently displayed in the table. The last line is where I am getting stuck. I want to be able to search uri_method for multiple values with wildcard.

i.e. the following should be returned

www.example.com/v2/customers/* (HEAD)

example.co.uk/v1/orders/* (HEAD)

www.example.com/xy/customers/* (GET)

www.abc.com/v3/customers (GET)

www.GetOrder.com/v2/orders/* (GET)

www.ListOrders.com/v2/orders (GET)

www.ListAddresses.com/xy/customers/*/addresses (GET)

BUT NOT:

www.example.com/xy/customers/*/details (GET)

www.GetOrder.com/v2/orders/*/shipping/* (GET)

www.GetOrder.com/v2/orders/*/returns/* (GET)

If I remove the where clause(last line), I get 100s of results. I want to list only some items(uri_method) that end with "customers/* (HEAD)", "orders/* (HEAD)", "customers/* (GET)", "customers (GET)", "orders (GET)","orders/* (GET)", "addresses (GET)" etc.

If I use Where clause with field name "IN", the wildcard * is not considered. If I use LIKE, I'm not sure how to add multiple values to where clause. Please help.

index=main env=test ("*Method=GET*" OR "*Method=HEAD*") "StatusCode=200"
| rex field=log "ResponseTime=(?<ResponseTime>\d+)"
| rex field=log "StatusCode=(?<StatusCode>\d+)"
| rex field=log "\"?Method\"?\=(?<Method>[^,]*)"
| rex field=log "Uri=(?<uri>[^\,?]+)"
| rex field=uri "uri=(?<uri>[?].*)"
| eval uri = urldecode(uri)
| eval uri = replace(uri, "/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}","/*")
| eval uri = replace(uri, "(\/[0-9]+)", "/*")
| eval uri_method = uri + " (" + Method + ")"
| stats perc95(ResponseTime) as response, count as request_rate by uri_method, StatusCode
| eval score = toNumber(response) * toNumber(request_rate)
| sort -score
| table uri_method,StatusCode,response,request_rate ,score
| where uri_method IN ("*customers/* (HEAD)","*orders/* (HEAD)", "*users/* (HEAD)", "*customers/* (GET)", "*customers (GET)", "*orders (GET)","*orders/* (GET)", "*addresses (GET)")

Re: Search multiple values using wildcard in a Field

ITWhisperer — Thu, 28 Apr 2022 17:28:23 GMT

| where match(uri_method ,"\/customers/\* \(HEAD\)") OR match(uri_method ,"\/orders\/\* \(HEAD\)") OR match(uri_method ,"\/users\/\* \(HEAD\)") OR match(uri_method ,"\/customers\/\* \(GET\)") OR match(uri_method ,"\/customers \(GET\)") OR match(uri_method ,"\/orders \(GET\)") OR match(uri_method ,"\/orders\/\* \(GET\)") OR match(uri_method ,"\/addresses \(GET\)")

Re: Search multiple values using wildcard in a Field

VatsalJagani — Thu, 28 Apr 2022 17:34:45 GMT

@nbhat - You can use the search command as well, which is what you are currently using syntax for.

| search uri_method IN ("*customers/* (HEAD)","*orders/* (HEAD)", "*users/* (HEAD)", "*customers/* (GET)", "*customers (GET)", "*orders (GET)","*orders/* (GET)", "*addresses (GET)")

I hope this helps!!!

Re: Search multiple values using wildcard in a Field

ITWhisperer — Thu, 28 Apr 2022 17:44:10 GMT

@VatsalJagani This doesn't eliminate the last 3 as they still match against "customer/* (GET)" or "orders/* (GET)" when search is used

Re: Search multiple values using wildcard in a Field

VatsalJagani — Thu, 28 Apr 2022 17:54:58 GMT

Ohh I see that makes sense!! It took me 2 min to understand this because I missed that part from the question. @ITWhisperer 🙌🙏🙌

Thanks!!