Solved: How to edit my search to extract the last appended...

rsingh_splunk · ‎05-11-2016

Hi all,

I need to extract the last appended letter part in the URI field and use eval to term them as:
d = Detail
m = Hover
e = Edit
o = Home Page

My data below consists of this format "/15_digit_alphanumeric/Flag_I_need"
/ab0/o
/ab040000001BUXp
/ab03300000Fsmcs/e
/ab03300000EZAwx/m
/ab03300000Ejhtx/d

My current search is:

EVENT_TYPE=URI  URI=/ab0* | eval description=case(match(URI,"/ab0/o"),"Home Page", match(URI,"/ab0[a-zA-Z0-9]{12}"),"List Page", match(URI,"/ab0[a-zA-Z0-9]{12}/e"),"Edit Page",match(URI,"/ab0[a-zA-Z0-9]{12}/m"),"Hover") |...

But it only shows the "Home Page" correctly and shows all the other description value as "List Page".
Any help would be greatly appreciated, Thanks in advance.

richgalloway · ‎05-11-2016

Change the order of the entries in your case statement so "List Page" is last. It's the more general regex so the Edit Page and Hover entries don't get past it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-11-2016

Change the order of the entries in your case statement so "List Page" is last. It's the more general regex so the Edit Page and Hover entries don't get past it.

---
If this reply helps you, Karma would be appreciated.

rsingh_splunk · ‎05-12-2016

ah! that's how it works.
Thanks richgalloway , works like charm now.

How to edit my search to extract the last appended letter in a URI field and use eval to assign each letter a certain value?

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!