topic Re: How to use regex inside eval? in Splunk Search

How to use regex inside eval?

kollachandra — Tue, 06 Mar 2018 21:27:37 GMT

I need to use regex inside the eval as I have to use multiple regexs inside of it. I am writing something like this

| eval counter=case( 
 | regex cs_uri_stem = "/**/sales/v\d/\d{8,}/***", "******", 
 | regex cs_uri_stem = "/**/sales/v\d/\d{8,}/**", "**"

I need to include more regexs to get the count of each single endpint

Re: How to use regex inside eval?

elliotproebstel — Tue, 06 Mar 2018 21:53:54 GMT

If all the things you're looking to count match that same pattern, then you'd be well suited to extract the value from that pattern and count based on the extracted value.

| rex field=cs_uri_stem "\/HomeOwners\/sales\/v\d\/\d{8,}\/(?<endpoint>[^\/]+)"

And this more succinct regex would probably even work:

| rex field=cs_uri_stem "(?<endpoint>[^\/]+)$"

Then to populate the counter field:

| eventstats count AS counter BY endpoint

And if you just need the counter and not the rest of the event data, you could use stats instead of eventstats:

| stats count AS counter BY endpoint

Re: How to use regex inside eval?

kollachandra — Tue, 06 Mar 2018 22:01:32 GMT

I want to get the average of different API calls hosted on the same set of servers. I need to write regex as it has a differnt session in the call syntax(sales/v1/54571418/Purchases). So, what I need is get the avg of all the endpoints like
Endpoint avg time
sales/v1/*****/Purchases Purchases 12
sales/v1/**/Documents Documents 10
sales/v1/**/Addresses Addresses 11
sales/v1/*****/Purchases Purchases 12

Re: How to use regex inside eval?

elliotproebstel — Wed, 07 Mar 2018 03:51:10 GMT

So let's take it one step at a time. Is this rex command working to extract your endpoints?

| rex field=cs_uri_stem "(?<endpoint>[^\/]+)$"

If not, can you post some examples of the full contents of the cs_uri_stem field where it's not working? It's best if you use the 101010 code button to ensure none of the characters you're posting get eaten by the posting software. Or if those endpoints aren't in the cs_uri_stem field and I misunderstood your original post, please share the full values of the fields where the endpoints are contained. We'll get it sorted!