Solved: Re: Extracting a field thats not recognized

venkatachalamvi · ‎05-28-2020

My rawdata from log is below

METHOD="POST" URI="CALLOUT-LOG" USER_ID_DERIVED="00532000004sefcAAA" EVENT_TYPE="ApexCallout" TYPE="REST" CLIENT_IP="" URL=""https://api.contact.com/ContactAuthorizationServer/Token"" RUN_TIME="532" SESSION_KEY="" TIMESTAMP="20200529045947.928" REQUEST_SIZE="76" LOGIN_KEY="" REQUEST_ID="4WCb1_2dhf_Zn9-qbvXjs-"

Splunk assumes URL as "" since URL value is passed to index in 2 double quotes.

I used eval to parse out and get the actual URL to a field in search as URLX but the field URLX becomes jumbled if I use like stats count by URLX.

my eval is eval ..... URLX=replace(_raw, ".URL=\"\"(.)\"\" RUN_TIME.*", "\1"), "/")

How do I properly tell splunk to get URL extracted without eval in the first place.

Thanks fpr help in advance.

493669 · ‎05-29-2020

You may want to use rex to extract url-

...|rex field=URL "\"(?<URL>[^\"]+)"

View solution in original post

venkatachalamvi · ‎06-01-2020

I eventually got it using this below

".*URL=\"\"(?P<urlx>.*)\"\" .*"

Thank you for the responses.

493669 · ‎05-29-2020

You may want to use rex to extract url-

...|rex field=URL "\"(?<URL>[^\"]+)"

Extracting a field thats not recognized

eval

field extraction

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?