Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a Splunk regex to match URI?

danast
Engager
‎05-01-2018 08:46 AM

Hi everyone,

I am trying to come up with a Splunk regex search for detecting URIs of URLs.
What I am interested in is the last random character and length string after the forward slash of the URLs below:

txx.zlx.mam-bg.ru/avuTbur334vxasd
zlx.axa.babishop18.ml/aipiruqwbXasal2

My fast solution to this so far is:

`... | regex uri="^/[a-zA-Z0`-9]{8,20}$"

However, I am unable to verify if this works as I don't have access to the logs currently.
Any suggestions for improvement would be appreciated.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-01-2018 11:31 AM

Have you seen the URL Toolbox app (https://splunkbase.splunk.com/app/2734/)? It will parse the URL for you.

If you really want or need to do it yourself, provide some sample data and we should be able to help you find a regex string that works with it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-01-2018 11:31 AM

Have you seen the URL Toolbox app (https://splunkbase.splunk.com/app/2734/)? It will parse the URL for you.

If you really want or need to do it yourself, provide some sample data and we should be able to help you find a regex string that works with it.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

danast
Engager
‎05-01-2018 11:50 AM

Rich thanks for the link to the app, I will give it a try later.

I asked some sample URLs to be emailed, here they are:

http://www.zdp.xu9lb084.IRISHKO.RU/bnhwf28dzmxoo
http://ylg.zc90xzeu.mama-bg.ru/aoxzc28jlcabog
http://hzm.hzm.6ju4a0t6.river-runningasd.ga/gqnckvx30hxgdtils

As you can see the last random character/length string after the domain suffix and / connect all of them. What I am trying to do here is to go through logs and find any urls that have such string. From what I know the length of the string varies between 8-20 characters.

Any suggestions for improvement would be appreciated.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-02-2018 06:27 AM

The URL Toolbox app can do that easily.

This regex string matches your sample text: \.\w+\/(?<URI>.*).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...