Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract data at specific position from url?

marcosjags
Explorer
‎04-25-2022 12:07 AM

Hello Everyone, 

I am new to splunk. I am searching the logs and I am getting my url like this /api/sns/exts/djs/310200019110274535/ds/310200019110274536/. What I want here is i want to extract the djs data which is 310200019110274535 in this case. Any help would be appreciated.

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2022 12:28 AM

Hi @marcosjags,

you should try something like this:

index=your_index
| rex field=url "^(\/\w+){6}\/(?<variable>\d+)"
| table url variable

If you need also to extract url field, you should share some sample of your logs.

My hint is to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial)  to know how to use Splunk commands.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2022 12:14 AM

Hi @marcosjags,

if the string to extract is always in the seventh position in the url, you can use something lie this:

| rex "^(\/\w+){6}\/(?<djs>\d+)"

that you can test at https://regex101.com/r/HvJFCS/1

if instead after the string to extract there's always "/.", you can use this regex

| rex "(?<djs>\d+)\/\."

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

marcosjags
Explorer
‎04-25-2022 12:24 AM

@gcusello How can i show that in the table next to url like this

/api/sns/exts/djs/310200019110274535/ds/310200019110274536/  310200019110274535

do I have to hold this in a variable and then should I do 

table url variable

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2022 12:28 AM

Hi @marcosjags,

you should try something like this:

index=your_index
| rex field=url "^(\/\w+){6}\/(?<variable>\d+)"
| table url variable

If you need also to extract url field, you should share some sample of your logs.

My hint is to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial)  to know how to use Splunk commands.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-25-2022 12:35 AM

Hi @marcosjags,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

Reply
Solved! Jump to solution

marcosjags
Explorer
‎04-25-2022 12:34 AM

Thanks for the help @gcusello . I will surely check the documentation

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-25-2022 12:20 AM

Or if it always follows "/djs/"

| rex "\/djs\/(?<djs>\d+)\/"

The main thing is that you need to determine the pattern in the URL which helps you anchor where to find the data you are looking for.

Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top