topic Re: All URL'S Not coming after using match functionality in Splunk Search

All URL'S Not coming after using match functionality

shabdadev — Sun, 27 Aug 2017 06:17:34 GMT

Hi ALL,
I wrote the below query

index=noact host=loss0* sourcetype=pro-e 

(
path="/desktop/account/" OR
path="/desktop/PerItemNumber" OR
path="/desktop/organization/groups" OR
path="/desktop/organization/groups/*"  
)

| eval URL=

case
(

match(path,"\/desktop\/account"),"/desktop/account",
match(path,"\/desktop\/PerItemNumber"),"/desktop/PerItemNumber",
match(path,"\/desktop\/organization\/groups"),"/desktop/organization/groups",
match(path,"\/desktop\/organization\/groups\/.*"),"/desktop/organization/groups/*"


)

But when i am running it only the desktop/account value is being populated in URL ( NEW FIELD ) .Not sure why while rest url's also have values but they are not coming .

Re: All URL'S Not coming after using match functionality

niketn — Sun, 27 Aug 2017 08:26:30 GMT

[UPDATED ANSWER]

@shabdadev, sorry I had missed .* in my search.

Match finds a regular expression pattern in the string being searched. So the substring in 3rd condition, i.e. "\/desktop\/organization\/groups", will always be true even if you have more content in your path after groups. Hence the final case block will never be hit. If this is clear you do not need a separate case for groups/.* as @DalJeanis has suggested.

In case you want exact match for groups url and partial match for groups url to be categorized differently you can try the following case block:

| makeresults
| eval path= "/desktop/account/,/desktop/PerItemNumber,/desktop/organization/groups,/desktop/organization/groups/.*"
| makemv path delim=","
| mvexpand path
| eval URL= case (match(path,"/desktop/account"),"/desktop/account",
                  match(path,"/desktop/PerItemNumber"),"/desktop/PerItemNumber",
                  (path="/desktop/organization/groups"),"/desktop/organization/groups",
                  match(path,"/desktop/organization/groups/.*"),"/desktop/organization/groups/.*")
| table path URL

PS: As you can see in 3rd condition I am comparing exact url and 4th I am using match() pattern.

It should work as expected. Can you please post some sample Data?
Following is a run anywhere search with pipes until mvexpand command to generate paths for four groups you have. I have used similar case() and match() methods as yours (only modification is backslash need not be escaped)

| makeresults
| eval path= "/desktop/account/,
 /desktop/PerItemNumber,
 /desktop/organization/groups,
 /desktop/organization/groups/*"
| makemv path delim=","
| mvexpand path
| eval URL= case (match(path,"/desktop/account"),"/desktop/account",
                  match(path,"/desktop/PerItemNumber"),"/desktop/PerItemNumber",
                  match(path,"/desktop/organization/groups"),"/desktop/organization/groups",
                  match(path,"/desktop/organization/groups/.*"),"/desktop/organization/groups/*")
| table path URL

I am able to see four groups of URL as per the path.

Re: All URL'S Not coming after using match functionality

DalJeanis — Tue, 29 Aug 2017 14:40:29 GMT

Because of the way match works, the fourth case construct is never going to execute, and you don't need it anyway. I agree with @niketnilay that your code should work fine if the events exist.

  index=noact host=loss0* sourcetype=pro-e 
  ( path="/desktop/account/" OR
    path="/desktop/PerItemNumber" OR
    path="/desktop/organization/groups*"
    )
 | eval URL= case ( match(path,"\/desktop\/account"), "/desktop/account",
      match(path,"\/desktop\/PerItemNumber"), "/desktop/PerItemNumber",
      match(path,"\/desktop\/organization\/groups"), "/desktop/organization/groups"
       )

Re: All URL'S Not coming after using match functionality

shabdadev — Wed, 30 Aug 2017 00:39:54 GMT

"Because of the way match works" - I didnt understood what you mean by this ? Why the fourth case will never execute ??

I have taken below example in which both the requests are different , they server diff purpose and i want then separately

index=noact host=loss0* sourcetype=pro-e 
   ( 
     path="/desktop/organization/groups"
      path="/desktop/organization/groups/*"
     )
  | eval URL= case ( 

       match(path,"\/desktop\/organization\/groups"), "/desktop/organization/groups",
      match(path,"\/desktop\/organization\/groups/.*"), "/desktop/organization/groups/*"
        )

But i observed that when i execute this , splunk throws the second URL (/desktop/organization/groups/*)
in the new field 'URL' as /desktop/organization/groups ...and thats why i am not getting other values

and i think this is what you are refering to ..am i right?

Why this behavior ??

When i swapped the position of URLs in case command , then i am getting both the URL's as expected .....:) Why this thing i am not understanding ?

As match compares the URL with the regex i give it to and it should populate the values in the field which i give then why it act like that?? Please clarify this