topic Re: Wildcard in middle of search string in Splunk Search

Wildcard in middle of search string

shabdadev — Thu, 06 Jul 2017 08:13:05 GMT

Hi all ,
I have this query

  index=ihs host=losat  sourcetype=ih  ( URLRedefined="/wcs/resources/products/*/credit/fin/v1\?brand=*" OR URLRedefined="/webapp/wcs/OrderItem\?orderId=*")
 | eval URL=case(match(URLRedefined,"/wcs/resources/products/*/credit/fin/v1\?brand=*"),"/wcs/resources/products/*/credit/fin/v1?brand=*",
match(URLRedefined,"/webapp/wcs/OrderItem\?orderId=*"),"/webapp/wcs/OrderItem?orderId=*"  )
         | stats count perc95(ResponseTime)  by URL

While running i am getting the stats for the orderitem url but for credit/fin url ..no stats are coming even though data is there for that .

I can see one msg in job section:

Unified Search: The term 'URLRedefined="/wcs/resources/products//credit/fin/v1\?brand="' contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation.

How to resolve this ??

Re: Wildcard in middle of search string

niketn — Thu, 06 Jul 2017 08:22:12 GMT

@shabdadev, for the following URL "/wcs/resources/products/*/credit/fin/v1\?brand=*", does asterisk() represent wildcard or is asterisk() part of the raw data itself?

Re: Wildcard in middle of search string

shabdadev — Thu, 06 Jul 2017 08:27:24 GMT

asterisk() * is wildcard which i want to use to take in account all values/data which comes in between the both forward slashes

Re: Wildcard in middle of search string

niketn — Thu, 06 Jul 2017 08:49:23 GMT

@shabdadev, you might have to read about match() function again(http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#match.28SUBJECT.2C_.22REGEX.22.29). Match performs a regular expression based pattern match. So, if you are familiar with Regular Expressions you can create pattern matches accordingly.

Following is a run anywhere search to make you understand RegEx based pattern matching.

| makeresults
| eval URLRedefined="/wcs/resources/products/blah1/blah2/credit/fin/v1?brand=blah1blah2"
| eval URL=case(match(URLRedefined,"/wcs/resources/products/*/credit/fin/v1\?brand=*"),"\/wcs\/resources\/products\/.*\/credit\/fin\/v1\?brand=.*",true(),"UnknownURL"

While I have taken one random URLRedefined example similar to credit URL you are interested in, you will have access to actual sample and complete data set. Please use regex101 to come up with exact regular expressions and test the same prior to applying the same.

Re: Wildcard in middle of search string

shabdadev — Thu, 06 Jul 2017 09:14:06 GMT

Hi Niket Thanks for the response...
I think while parsing the match function it was not able to parse asterisk because it was embedded between 2 forward slashes .......i used escape characters in front of the forward slashes and asterisk and it worked . Still i am not sure why . (dot) is used as escape character for asterisk ??

eval URL=case(match(URLRedefined,"/wcs/resources/products\/.* \/credit/fin/v1\?brand=*")

The link which you provided , i allready went through it but in what situations what all escape characters are used is not mentioned there .

Re: Wildcard in middle of search string

koshyk — Thu, 06 Jul 2017 09:32:38 GMT

When I tested with below examples, it worked

For brand

|makeresults | eval URLRedefined="/wcs/resources/products/aaaaaaaaa/credit/fin/v1?brand=hello_world"  
| eval URL=case(match(URLRedefined,"/wcs/resources/products/.*/credit/fin/v1\?brand="),"/wcs/resources/products/*/credit/fin/v1?brand=*",    match(URLRedefined,"/webapp/wcs/OrderItem\?orderId=*"),"/webapp/wcs/OrderItem?orderId=*"  )
| table URLRedefined,URL

For Order item

|makeresults | eval URLRedefined="/webapp/wcs/OrderItem?orderId=12345"  
| eval URL=case(match(URLRedefined,"/wcs/resources/products/.*/credit/fin/v1\?brand="),"/wcs/resources/products/*/credit/fin/v1?brand=*",   match(URLRedefined,"/webapp/wcs/OrderItem\?orderId=.*"),"/webapp/wcs/OrderItem?orderId=*"  )| table URLRedefined,URL

The only change, I've done is to use ".*" in the match expression.

Re: Wildcard in middle of search string

niketn — Thu, 06 Jul 2017 09:54:36 GMT

@shabdadev, I think you are confusing between escape character and Regular Expression,

Dot (.) in Regular expression means pick anything and asterisk (*) will mean repeat n number or time until next pattern is found. RegEx101 towards bottom right section will also give you an idea about Regular Expressions however, I would say better understand that in depth as Regular Expressions will be used for pattern matching in several places and in several Splunk commands/Field Extractions.

If the comment has helped you resolve the issue. I will convert to answer. Please accept to close the same unless you have any other clarifications.

Re: Wildcard in middle of search string

niketn — Fri, 07 Jul 2017 17:06:25 GMT

@shabdadev, please accept the answer if it helped.