Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract data at specific position from url?

marcosjags
Explorer
‎04-25-2022 12:07 AM

Hello Everyone, 

I am new to splunk. I am searching the logs and I am getting my url like this /api/sns/exts/djs/310200019110274535/ds/310200019110274536/. What I want here is i want to extract the djs data which is 310200019110274535 in this case. Any help would be appreciated.

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2022 12:28 AM

Hi @marcosjags,

you should try something like this:

index=your_index
| rex field=url "^(\/\w+){6}\/(?<variable>\d+)"
| table url variable

If you need also to extract url field, you should share some sample of your logs.

My hint is to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial)  to know how to use Splunk commands.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2022 12:14 AM

Hi @marcosjags,

if the string to extract is always in the seventh position in the url, you can use something lie this:

| rex "^(\/\w+){6}\/(?<djs>\d+)"

that you can test at https://regex101.com/r/HvJFCS/1

if instead after the string to extract there's always "/.", you can use this regex

| rex "(?<djs>\d+)\/\."

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

marcosjags
Explorer
‎04-25-2022 12:24 AM

@gcusello How can i show that in the table next to url like this

/api/sns/exts/djs/310200019110274535/ds/310200019110274536/  310200019110274535

do I have to hold this in a variable and then should I do 

table url variable

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2022 12:28 AM

Hi @marcosjags,

you should try something like this:

index=your_index
| rex field=url "^(\/\w+){6}\/(?<variable>\d+)"
| table url variable

If you need also to extract url field, you should share some sample of your logs.

My hint is to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial)  to know how to use Splunk commands.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2022 12:35 AM

Hi @marcosjags,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

Reply
Solved! Jump to solution

marcosjags
Explorer
‎04-25-2022 12:34 AM

Thanks for the help @gcusello . I will surely check the documentation

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-25-2022 12:20 AM

Or if it always follows "/djs/"

| rex "\/djs\/(?<djs>\d+)\/"

The main thing is that you need to determine the pattern in the URL which helps you anchor where to find the data you are looking for.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...