Solved: Re: Extracting a field thats not recognized

venkatachalamvi · ‎05-28-2020

My rawdata from log is below

METHOD="POST" URI="CALLOUT-LOG" USER_ID_DERIVED="00532000004sefcAAA" EVENT_TYPE="ApexCallout" TYPE="REST" CLIENT_IP="" URL=""https://api.contact.com/ContactAuthorizationServer/Token"" RUN_TIME="532" SESSION_KEY="" TIMESTAMP="20200529045947.928" REQUEST_SIZE="76" LOGIN_KEY="" REQUEST_ID="4WCb1_2dhf_Zn9-qbvXjs-"

Splunk assumes URL as "" since URL value is passed to index in 2 double quotes.

I used eval to parse out and get the actual URL to a field in search as URLX but the field URLX becomes jumbled if I use like stats count by URLX.

my eval is eval ..... URLX=replace(_raw, ".URL=\"\"(.)\"\" RUN_TIME.*", "\1"), "/")

How do I properly tell splunk to get URL extracted without eval in the first place.

Thanks fpr help in advance.

493669 · ‎05-29-2020

You may want to use rex to extract url-

...|rex field=URL "\"(?<URL>[^\"]+)"

View solution in original post

venkatachalamvi · ‎06-01-2020

I eventually got it using this below

".*URL=\"\"(?P<urlx>.*)\"\" .*"

Thank you for the responses.

493669 · ‎05-29-2020

You may want to use rex to extract url-

...|rex field=URL "\"(?<URL>[^\"]+)"

Extracting a field thats not recognized

eval

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation