topic How to extract a particular field from a URI in Splunk? in Splunk Search

How to extract a particular field from a URI in Splunk?

jagdeepgupta813 — Wed, 20 Jan 2016 20:05:50 GMT

My data is coming like below in splunk

method=PUT uri=/AppA/USA/comp1/Refrence/20160120A123456/price query= httpstatus=200 bytes=7772 processtime=682 ms

method=PUT uri=/AppA/USA/comp2/tax query= httpstatus=200 bytes=7772 processtime=682 ms

I want to get the last value after / from the URI column and the average process time for that in a time frame.

For example, for a day, I want to see the average time taken for service tax and price.

And how do I get any value in between URI? For example, I want to get the country type from the above URI, and want to see the average time taken for each service in different countries.

Re: How to extract a particular field from a URI in Splunk?

masonmorales — Wed, 20 Jan 2016 20:53:10 GMT

Try:

| rex field=uri "\/\w+\/(?<Country>\w+)" | rex field=uri "\/(?<Type>\w+)\s"

Should extract a field called "Country" and a field called "Type". I assume bytes, httpstatus, and processingtime are auto-extracted for you by Splunk since they're key=value pairs.

Re: How to extract a particular field from a URI in Splunk?

s2_splunk — Wed, 20 Jan 2016 21:08:55 GMT

You can do it all in one go by using this (no need to escape forward slashes:

rex field=uri "/\w+/(?<Country>\w+).*/(?<Service>\w+)$"

Re: How to extract a particular field from a URI in Splunk?

jagdeepgupta813 — Wed, 05 Oct 2016 01:13:18 GMT

why this is not working
rex field=url "\/(?\d+)$"

I tried this as well
rex field=url "\/(?\d+)RETURN"

However , this worked
rex field=url "\/(?\d{10,})$"

my url field has value like
http://IP:PORT/Folder1/rest/service1/1234/Stor3/001/12345678910/RETURN

Re: How to extract a particular field from a URI in Splunk?

jagdeepgupta813 — Wed, 05 Oct 2016 01:15:02 GMT

It was my bad, this worked

rex field=url "\/(?\d+)\/RETURN"