Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract API name from below URL field in Splunk,

ravimishrabglr
Explorer
‎12-10-2019 10:37 PM

U="/my-web/services/v1/2/cartMetadata"
U="/my-web/services/v1/2/cartMetadata/delivery"
U="/my-web/services/v1/cps/getContent/8efa90da34cb4046ae0c65b2935ff5bc"

Trying using : ^(?:[^/\n]*/){5}(?P\w+) but getting result as-

cartMetadata
getContent

But I want this-
cartMetadata
delivery
getContent

Please help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gf13579
Communicator
‎12-11-2019 02:00 PM

This feels hacky and wrong, but it works with your sample data and required outcome:

\/(?<api_name>[^\/]+)(\/([a-z0-9]{32})|$)

It works on the basis that you might have a 32 character hex string at the end, or might not - but you don't care what it is.

As per comments from @richgalloway above, it's unclear what the rules should be for determining the value you're after.

Here's that regex in action:

| makeresults
| eval U = "/my-web/services/v1/2/cartMetadata /my-web/services/v1/2/cartMetadata/delivery /my-web/services/v1/cps/getContent/8efa90da34cb4046ae0c65b2935ff5bc"
| makemv delim=" " U | mvexpand U
| rex field=U "\/(?[^\/]+)(\/([a-z0-9]{32})|$)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎12-11-2019 11:02 PM

Hi

Give a try, based on length 32 i ignored last part

| makeresults 
| eval U = "/my-web/services/v1/2/cartMetadata /my-web/services/v1/2/cartMetadata/delivery /my-web/services/v1/cps/getContent/8efa90da34cb4046ae0c65b2935ff5bc" 
| makemv delim=" " U 
| mvexpand U 
| makemv delim="/" U 
| eval API  = if(len(mvindex(U,mvcount(U)-1))==32,mvindex(U,mvcount(U)-2),mvindex(U,mvcount(U)-1))
0 Karma
Reply
Solved! Jump to solution
Solution

gf13579
Communicator
‎12-11-2019 02:00 PM

This feels hacky and wrong, but it works with your sample data and required outcome:

\/(?<api_name>[^\/]+)(\/([a-z0-9]{32})|$)

It works on the basis that you might have a 32 character hex string at the end, or might not - but you don't care what it is.

As per comments from @richgalloway above, it's unclear what the rules should be for determining the value you're after.

Here's that regex in action:

| makeresults
| eval U = "/my-web/services/v1/2/cartMetadata /my-web/services/v1/2/cartMetadata/delivery /my-web/services/v1/cps/getContent/8efa90da34cb4046ae0c65b2935ff5bc"
| makemv delim=" " U | mvexpand U
| rex field=U "\/(?[^\/]+)(\/([a-z0-9]{32})|$)"
0 Karma
Reply
Solved! Jump to solution

ravimishrabglr
Explorer
‎12-11-2019 10:11 PM

@gf13579 Thanks for the answer! I feel it is very close, could you please have a look in my comment in the question for more detail.

0 Karma
Reply
Solved! Jump to solution

gf13579
Communicator
‎12-11-2019 10:13 PM

| makeresults
| eval U = "/my-web/services/v1/2/cartMetadata /my-web/services/v1/2/cartMetadata/delivery /my-web/services/v1/cps/getContent/8efa90da34cb4046ae0c65b2935ff5bc"
| makemv delim=" " U | mvexpand U
| rex field=U "\/(?[^\/]+)(\/([a-z0-9]{32})|$)"

0 Karma
Reply
Solved! Jump to solution

gf13579
Communicator
‎12-11-2019 10:13 PM

I updated it based on your clarification that U is the field name rather than U= being part of the value

0 Karma
Reply
Solved! Jump to solution

gf13579
Communicator
‎12-11-2019 10:15 PM

alt text

0 Karma
Reply
Solved! Jump to solution

ravimishrabglr
Explorer
‎12-12-2019 02:18 AM

Thank you @gf13579 it worked!!! I will Accept the answer.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-11-2019 05:05 AM

What are the rules for deciding where the API name is? Your regex extracts the fifth element of the URL, but your desired results call for either the 5th or 6th. What is the determining factor?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ravimishrabglr
Explorer
‎12-11-2019 10:08 PM

@richgalloway I want last part of the url, if it has 32 digit id in the last then ignore it and get second last part.
I tried regex as per @gf13579 in my below query but it is returning getContent ONLY. please help me if my query is right. U is the field here and i am trying to create a board to show latency of all APIs.

index="myIndex" host="myApp" source="mySource" sourcetype="mySourceType" (MTHD="POST" OR MTHD="GET") | rex field=U "\/(?[^\/]+)(\/([a-z0-9]{32})|\"$)" |
dedup CR,RE | stats count as TotalReq, min(D) as Min, max(D) as Max, avg(D) as Avg, perc95(D) as P95, perc98(D) as P98, perc99(D) as P99 by ApiName, MTHD | addinfo |
eval range = info_max_time - info_min_time | eval TPS=round(TotalReq/range,2) | eval Avg=round(Avg,2) |
fields ApiName, MTHD, TotalReq, TPS, Min, Max, Avg, P95, P98, P99

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Top