Solved: Help with Splunk rex and using it in searchmatch?

super_edition · ‎04-23-2023

Hello eveyrone,

Firstly Big Thanks to @ITWhisperer for helping me in recent weeks 😊

I have created a splunk query which will display the data as below.

Operations	average	response90
create_cart	250	380
cart_summary	240	330
cart_productType	210	321
getCart	260	365

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container 
| search ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP") 
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

I want to include 1 more search pattern as below:

"message":{"input":"999.111.000.999 - - [06/Apr/2023:04:08:13 +0000] \"GET /shopping/carts/v1/83h3h331-g494-28h4-yyw7-dq123123123d HTTP/1.1\" 200 1855 8080 10 ms"}

Hence I changed the splunk query something like below to display the above formatted tabular information

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container 
| rex "\"(?<url>GET /shopping/carts/v1/[^/ ?]+\sHTTP)"
| search ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP")
OR url
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType",
searchmatch(url),"getCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

I am encountering the error stating : Error in 'EvalCommand': The arguments to the 'searchmatch' function are invalid.

yuanliu · ‎04-23-2023

First, I think ITWhiperer already mentioned that adding "search" commands after the index search is less efficient. So, your first search really should start with (before case function)

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
 ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP")

Secondly, unless you say something like "url = <something>" in the second search, the rex and the second search command would make absolutely no difference.

Now, to the error from searchmatch inside that case function. searchmatch expects a literal string as argument. The bare url is not a literal string, therefore the error.

I think what you want is something like

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/* HTTP" ``` do not differentiate ```
OR "GET *shopping*carts*productType* HTTP")
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType",
match(_raw, "\\GET /shopping/carts/v1/[^/ ?]+\sHTTP"),"getCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

Here, match function takes a literal string OR string field, and does a regex match. There is no need for a separate rex command.

View solution in original post

yuanliu · ‎04-23-2023

First, I think ITWhiperer already mentioned that adding "search" commands after the index search is less efficient. So, your first search really should start with (before case function)

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
 ("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/*/summary HTTP" 
OR "GET *shopping*carts*productType* HTTP")

Secondly, unless you say something like "url = <something>" in the second search, the rex and the second search command would make absolutely no difference.

Now, to the error from searchmatch inside that case function. searchmatch expects a literal string as argument. The bare url is not a literal string, therefore the error.

I think what you want is something like

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns openshift_container_name=container
("POST /shopping/carts/v1 HTTP" 
OR "GET /shopping/carts/v1/* HTTP" ``` do not differentiate ```
OR "GET *shopping*carts*productType* HTTP")
| eval Operations=case(
searchmatch("POST /shopping/carts/v1 HTTP"),"create_cart",
searchmatch("GET /shopping/carts/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *shopping*carts*productType* HTTP"),"cart_productType",
match(_raw, "\\GET /shopping/carts/v1/[^/ ?]+\sHTTP"),"getCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

Here, match function takes a literal string OR string field, and does a regex match. There is no need for a separate rex command.

Help with Splunk rex and using it in searchmatch?

eval

rex

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation