All Apps and Add-ons

Splunk App for Webanalytics: Only do rex if

JohannesGmelin
Path Finder

Dear Community,

I have a problem with my search string at the user journey flow page in the "Splunk App for Webanalytics" app.
I just want to run a rex if the landing page dropdown field contains "Any" (all landing pages).

I've tried this but it's very complicated 😕

| rex "(?<landing_page_any>REGEX1)" field=Web.uri mode=sed "s/^(\/[^\/]+\/).*$/\1/"
| eval landing_page = if(landing_page=="Any",landing_page_any)

Do you have any idea whats wrong with my code? I'm getting an error that something is wrong in my rex command.

Error in 'rex' command: Failed to initialize sed. cannot find sed command: (

Thanks a lot!

Additional information's:

This is a picture without any filter (all links are cut correctly:
alt text

But after setting the filter in the landing page for the first entry "test....." the Web.uri's on the right sight shouldn't be cuted off.. the should be the whole uri like /linkA/linkB/result.html. So my idea was to allow the rex command only if the landing page filter is set to "Any":
alt text

0 Karma

woodcock
Esteemed Legend

You cannot (in any way that makes any sense here) conditionally run the rex but you can easily conditionally use the result:

| makeresults
| eval Web.uri="http://www.this.is.a.test.com/", Web.uri.maybe=$Web.uri$
| rex field=Web.uri.maybe "(?<landing_page_any>REGEX1)"
| rex field=Web.uri.maybe mode=sed "s/^(\/[^\/]+\/).*$/\1/"
| eval Maybe=if(YourCondition="True"), Web.uri.maybe, Web.uri)

The problem with your rex command is that you were mixing non-sed-based and sed-based syntax in a single command. I have split it out into 2 commands.

0 Karma

knielsen
Contributor

If I understood correctly, try it like this:

rex field=Web.uri "^(?<any>/[^/]+/)" | eval landing_page=if(landing_page=="Any", any, 'Web.uri') 
0 Karma

JohannesGmelin
Path Finder

Not working 😕 I want to do the rex command if the landing page filter is set to "Any" otherwise the rex command shouldn't start.

0 Karma

knielsen
Contributor

Why do you care wether rex is executed? It doesn't change anything in Web.uri.

You can do without rex as well, looks interesting:

| makeresults | eval landing_page="Any" | eval Web.uri="/landing_page/contentA/contentB.html" | eval landing_page=if(landing_page=="Any","/"+mvindex(split('Web.uri',"/"),1)+"/",'Web.uri')

gives back "/landing_page/"

| makeresults | eval landing_page="bla" | eval Web.uri="/landing_page/contentA/contentB.html" | eval landing_page=if(landing_page=="Any","/"+mvindex(split('Web.uri',"/"),1)+"/",'Web.uri')

gives back "/landing_page/contentA/contentB.html" in field landing_page
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ohannesGmelin,
could you share an example of your logs?
Bye.
Giuseppe

JohannesGmelin
Path Finder

Hey Giuseppe,

I thought about all things here and had an idea. Is it possible to do something like this?

| tstats summariesonly=t count FROM datamodel=Web WHERE Web.site="$site$" "Web.eventtype"=pageview "Web.http_session_pageviews">1 GROUPBY "Web.site","Web.http_session",_time span=1s,"Web.http_referer","Web.uri","Web.http_session_channel"
**| eval rex_langing_page=if("$landing_page$"=="*", "s/^(\/[^\/]+\/).*$/\1/", rex_langing_page)
| rex field=Web.uri mode=sed "$rex_langing_page$"**
| rename Web.uri AS to "Web.http_referer" AS from "Web.http_session_channel" AS channel "Web.site" AS site "Web.http_session" AS http_session
| rex field=from "https?://.+?(?<from_path>/[^\\?]+)" 
| rename from_path AS from
| eval from=if(isnull(from),"$site$",from)
| streamstats global=f count AS interaction by http_session 
| eval interaction=interaction-1
| where interaction<=round($limit$/20,0)
| stats list(from) AS from, list(to) AS to,earliest(to) AS landing_page, list(channel) as channel, list(interaction) as interaction by http_session
| search to="$to$" landing_page="$landing_page$"
| eval fields = mvzip(from,mvzip(to,mvzip(interaction,channel))) 
| fields http_session fields
| mvexpand fields
| rex field=fields "(?<from>[^\,]+),(?<to>[^\,]+),(?<interaction>[^\,]+),(?<channel>.+)"
| eval from=if(interaction=0, "", from)
| eval from=if("$landing_page$"!="*", "$site$"."$landing_page$", from)
| table http_session from to interaction
| where interaction>=1
| where to!="$landing_page$"
| where to!=from
| stats count by from,to,interaction
| sort interaction,-count,from,to
| streamstats global=f count AS interaction_rank by interaction
| where interaction_rank<=round($limit$/10,0)
| stats sum(count) AS count by from,to
| sort from to count
| head $limit$

I want to define a variable with my rex command (if landing_page == any; my_variable="my rex value for command") and call the value of the variable in my rex. The problem is that I get the error: "Search is waiting for input" and nothing happens.

Do you have any idea?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ohannesGmelin,
there's something not correct: in the rex command you have to extract a field and after you can use eval for your condition
something like this
| rex field=Web.uri mode=sed "your_regex"
| eval rex_langing_page=if(landing_page="*", your_regex_field, rex_langing_page)

Bye.
Giuseppe

JohannesGmelin
Path Finder

But rex_landing_page should be a variable with my pattern for the rex?

0 Karma

gcusello
SplunkTrust
SplunkTrust

I'm not sure that it's possible to pass a variable to a rex command.

I cannot help you with the regex bacause I haven't an example but this approach shoul be correct.

Bye.
Giuseppe

0 Karma

JohannesGmelin
Path Finder

I'm not allowed because the contend is secret 😕

But a link in my user journey flow looks like this: /landing_page/contentA/contentB.html

With my rex I want to remove the back part that I only get the /landing_page/.
But I just want to do the rex if the landing_page filter is set to "Any" in the DropDown else the rex should be ignored.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ohannesGmelin,
you could mask them before sharing...
Anyway, you could use a regex like this

\/(?<your_field>[^\/]+)

test it at https://regex101.com/r/JXcqMO/1

For the second problem, you have to run the regex and after use eval to choose if using regex or not, something like this

your_search 
| rex "\/(?<your_field>[^\/]+)" 
| eval your_field=if(dropdown_value="Any",your_field) 
| ...

Bye.
Giuseppe

0 Karma

JohannesGmelin
Path Finder

Question Updated!

0 Karma

JohannesGmelin
Path Finder

I think you misunderstood my question :/. I don't want to set any field. When I'm at the user journey flow I have a graphic. When I set all filters to "Any" especially the landing page filter the rex command should cut off the ending from the landing pages that I get just the first part. If I set the filter for the landing page to a value the rex shouldn't cut off the ending for all Web.uri's.

I'll upload a picture to my question for a better understanding.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...