Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I edit my search to remove specific substri...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wrote a search which gives the result below in the statistics tab:
URI Count
HTTPS://XXXXXXXX//AAAA.aspx%3FUIC=GuidID=8090443C5BA5ED33%26_SecEntityType=1%26BID=71E160E1E55478D5 1
HTTPS://XXXXXXXX/CCCCC.aspx?UIC=GuidID%3d952932873084A530%26_SecEntityType%3d1&BID=9B387A4FD720BD78 1
HTTPS://XXXXXXXX//AAAA.aspx 2
HTTPS://XXXXXXXX/CCCCC.aspx 2
However, I was looking for a way to remove the data after .aspx and have the count included in statistics.
I'm expecting the statistics to look like:
URI Count
HTTPS://XXXXXXXX//AAAA.aspx 3
HTTPS://XXXXXXXX/CCCCC.aspx 3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Regex101 is your friend here.
Try this:
| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:\/\/.+\.aspx)"
| stats count by shortUri
This is what I used to test your example: https://regex101.com/r/dU4sD7/2
If you have multiple aspx files try using a negative lookahead in your regex.
The following matches all your examples:
| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:\/\/(?:(?!\.aspx).)*\.aspx)"
| stats count by shortUri
Third option as provided by @alemarzu below is as follows (simpler than mine using a lazy operator):
| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:.*?\.aspx)"
| stats count by shortUri
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Regex101 is your friend here.
Try this:
| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:\/\/.+\.aspx)"
| stats count by shortUri
This is what I used to test your example: https://regex101.com/r/dU4sD7/2
If you have multiple aspx files try using a negative lookahead in your regex.
The following matches all your examples:
| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:\/\/(?:(?!\.aspx).)*\.aspx)"
| stats count by shortUri
Third option as provided by @alemarzu below is as follows (simpler than mine using a lazy operator):
| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:.*?\.aspx)"
| stats count by shortUri
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, i tried this but for few URI have
HTTPS://AAAAA.aspx?UIC=_SecEntityType%3d1%26CallerEduId%3d%26SSr%3d%26Target%3d..%252f..%252fDesktop...
which is getting added.
Can we have filter set to first aspx? and have the count included for it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have multiple aspx files try using a negative lookahead in your regex.
The following matches all your examples:
| yoursearch
| rex field=URI "(?i)(?<shortUri>^http[s]?:\/\/(?:(?!\.aspx).)*\.aspx)"
| stats count by shortUri
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Made a change on javiergn regex, try this one.
(?i)(?<shortUri>^http[s]?:.*?\.aspx)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect...Thanks much.
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Wrapping Up Cybersecurity Awareness Month
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
