topic Regex for uri path in Splunk Search

Regex for uri path

loadtest — Tue, 11 Mar 2014 19:49:50 GMT

Hi,

I'm having trouble extracting the uri_path of my log files.

Here's an example of a line in my log file

115.252.41.38 "65.165.121.16" - www.site.com [27/Feb/2014:23:29:59 -0500] "GET /images/focus/gallery/?zipCode=70006&distance=50 HTTP/1.1" 200 67362 1 esds036b.md5.site.com:9789 "-" "Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53"

I'm trying to extract out "/images/focus/gallery/" with a Regex, but am having difficulties in doing so. Any help is appreciated.

Re: Regex for uri path

lukejadamec — Tue, 11 Mar 2014 19:59:40 GMT

Try this:

search | regex "\s/[^ ]+/[^ ]+/[^ ]+/"

Re: Regex for uri path

loadtest — Tue, 11 Mar 2014 20:10:15 GMT

How would I extract the path out to a variable to chart it? For example the top used paths using "top limit=2 uri_path"

Re: Regex for uri path

lukejadamec — Tue, 11 Mar 2014 21:32:20 GMT

You can try rex:

search | rex "^.*\s(?P<uri_path>/[^ ]+/[^ ]+/[^ ]+/)\S"

That should pull out a uri_path field that can be used for statistics or charting.

Re: Regex for uri path

ianathompson — Thu, 28 Aug 2014 08:44:06 GMT

For the weblogs, I just used the inline field extractor with some small changes to extract the uriPath from the uri field that was imported from the AWS ELB logs I received. The main issue is some URIs have query fields (?key=value) and some do not. This has worked for me so far.

rex field=uri "(?i)^(?:[^/]*/){3}(?P<uriPath>[^(\?|\s)]+)"

If I make any more changes, I will update the rex.

Also you can check out the URL Parser app in the Splunk App Store. Just take note that it has errors in the code that have to be corrected. They are noted here.