topic How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field? in Splunk Search

How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

lanceblais — Thu, 16 Apr 2015 14:57:10 GMT

Hello,

I have data in Splunk Cloud which has a path=/api/versions/:version_id where version_id can be anything acceptable in a URL.

I'm trying to write a search that finds and creates a pie chart of the :version_ids over the past 24 hours and past 7 days.

I've tried this search, but it's not returning the right results:

source=/var/log/mylog.log | rex field=path "/api/versions/(?.*)"

I get results that don't actually match the regex above.

Can anyone point me to some docs so I can get the right usage of the regex and create my dashboard?

Thanks

Re: How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

richgalloway — Thu, 16 Apr 2015 15:19:08 GMT

Slashes must be escaped and your group is mal-formed. Try this:

... | rex field=path "\/api\/versions\/:(?<version_id>.*)"

Re: How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

lanceblais — Thu, 16 Apr 2015 17:33:57 GMT

Thanks for the info. I've adapted my string:

source=/var/log/my.log | rex field=path "\/api\/versions\/:(?.*)"

But it's still matching things like /api/sections/123/items/123

Any ideas?

Note: This box keeps striping out the < version_id >

Re: How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

richgalloway — Mon, 28 Sep 2020 19:34:27 GMT

There's no way "/api/versions/:" can match "/api/sections/". Perhaps it would help if you shared (anonymized) sample data.

($.*) is not a valid regex construct. Use
(?<version_id>.*).

You can change 'version_id' to any string you want to be the field name to hold matching version IDs.

Indent your code by 4 spaces to preserve backslashes and other formatting characters.

Re: How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

somesoni2 — Thu, 16 Apr 2015 17:45:32 GMT

Above does works for me and its not matching. See this runanywhere sample search

| gentimes start=-1 | eval path="/api/versions/:version_id /api/versions/api/sections/123/items/123 /api/versions/123/items/123 /api/versions/:version_id /api/sections/123/items/123" | table path | makemv path | mvexpand path | rex field=path "\/api\/versions\/:(?<version_id>.*)"

Can you post some sample values of field path, including the ones that are not working?