Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract second field between quotes and add url?

Mick_OBrien
Path Finder
‎09-07-2022 12:49 AM

I have logs of the format...

2022-09-07T01:42:06.321624+00:00 micro.service 2867ce23-bdfd-48eb-ba5a-40e1e8a93987[[APP/PROC/WEB/0]] 159.203.190.66, 100.64.144.3 - - - [07/Sep/2022:01:42:06 +0000] "GET url HTTP/1.1" 404 125

...and I want to extract a count of missing URLs by microservice.  I can get a count of microservice using...

index=myIndex "404 125" | rex "^\S+\s(?<microService>\S+).*" | bucket _time span=day | stats count by microService

...but I would like to know how to add the url

Any help appreciated

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 01:38 AM

Hi @Mick_OBrien,

ok, please try this:

| rex "^\S+\s(?<microService>\S+).*.\"GET\s+(?<url>[^ ]+)"

that you  can test at https://regex101.com/r/HFgP6J/2

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 01:25 AM

Hi @Mick_OBrien,

let me understand: in your sample you want to extract: "micro.service" and "APP/PROC/WEB/0", is it correct?

If this is your need, please try this:

| rex "^\S+\s(?<microService>\S+).*.\[\[(?<url>[^\]]+)"

that you can test at https://regex101.com/r/HFgP6J/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Mick_OBrien
Path Finder
‎09-07-2022 01:30 AM

Hi @gcusello 

Thanks for reply but I want to extract the url after the GET 

Mick

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 01:38 AM

Hi @Mick_OBrien,

ok, please try this:

| rex "^\S+\s(?<microService>\S+).*.\"GET\s+(?<url>[^ ]+)"

that you  can test at https://regex101.com/r/HFgP6J/2

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Mick_OBrien
Path Finder
‎09-07-2022 01:45 AM

@gcusello 

Thanks - that seems to be working!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 02:04 AM

Hi @Mick_OBrien,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...