Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my search to remove specific substrings from URI values in my results in statistics tab?

manjunathin
New Member
‎01-14-2016 03:41 AM

I wrote a search which gives the result below in the statistics tab:

URI Count   
HTTPS://XXXXXXXX//AAAA.aspx%3FUIC=GuidID=8090443C5BA5ED33%26_SecEntityType=1%26BID=71E160E1E55478D5 1   
HTTPS://XXXXXXXX/CCCCC.aspx?UIC=GuidID%3d952932873084A530%26_SecEntityType%3d1&BID=9B387A4FD720BD78     1   
HTTPS://XXXXXXXX//AAAA.aspx                                                                                     2   
HTTPS://XXXXXXXX/CCCCC.aspx     2

However, I was looking for a way to remove the data after .aspx and have the count included in statistics.
I'm expecting the statistics to look like:

URI                        Count    
HTTPS://XXXXXXXX//AAAA.aspx     3   
HTTPS://XXXXXXXX/CCCCC.aspx     3
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎01-14-2016 03:52 AM

Hi,

Regex101 is your friend here.
Try this:

| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:\/\/.+\.aspx)"
| stats count by shortUri

This is what I used to test your example: https://regex101.com/r/dU4sD7/2

If you have multiple aspx files try using a negative lookahead in your regex.
The following matches all your examples:

| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:\/\/(?:(?!\.aspx).)*\.aspx)"
| stats count by shortUri

Third option as provided by @alemarzu below is as follows (simpler than mine using a lazy operator):

| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:.*?\.aspx)"
| stats count by shortUri

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎01-14-2016 03:52 AM

Hi,

Regex101 is your friend here.
Try this:

| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:\/\/.+\.aspx)"
| stats count by shortUri

This is what I used to test your example: https://regex101.com/r/dU4sD7/2

If you have multiple aspx files try using a negative lookahead in your regex.
The following matches all your examples:

| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:\/\/(?:(?!\.aspx).)*\.aspx)"
| stats count by shortUri

Third option as provided by @alemarzu below is as follows (simpler than mine using a lazy operator):

| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:.*?\.aspx)"
| stats count by shortUri
Reply
Solved! Jump to solution

manjunathin
New Member
‎01-14-2016 04:24 AM

Thanks, i tried this but for few URI have
HTTPS://AAAAA.aspx?UIC=_SecEntityType%3d1%26CallerEduId%3d%26SSr%3d%26Target%3d..%252f..%252fDesktop...

which is getting added.

Can we have filter set to first aspx? and have the count included for it?

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-14-2016 05:00 AM

If you have multiple aspx files try using a negative lookahead in your regex.
The following matches all your examples:

| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:\/\/(?:(?!\.aspx).)*\.aspx)"
| stats count by shortUri
0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎01-14-2016 04:45 AM

Made a change on javiergn regex, try this one.

(?i)(?<shortUri>^http[s]?:.*?\.aspx)
0 Karma
Reply
Solved! Jump to solution

manjunathin
New Member
‎01-14-2016 04:49 AM

Perfect...Thanks much.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...