Splunk Search

How to group uri strings inside a case statement based on a substring portion of a uri

Motivator

I have three types of uris stored in a field called uri. The uris are as follows:

First type:
/a/b/c/1/d
/a/b/c/2/d
/a/b/c/3/d
/a/b/c/4/d
Second type:
/a/b/c/1/d/e
/a/b/c/2/d/e
/a/b/c/3/d/e
Third type:
/p/q/r/s/t/1/u/v/w
/p/q/r/s/t/2/u/v/w

I want to group them in case statement as:

eval uri=case( if uri is anything like /a/b/c/*/d then store "/a/b/c/x/d" in uri,    if uri is anything like /a/b/c/*/d/e
then store /a/b/c/x/d/e in uri, if uri is anything like /p/q/r/s/t/*/u/v/w then store /p/q/r/s/t/x/u/v/w in uri)

Can anyone please assist to achieve this?

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

@gokadroid, based on the details provided, please find the updated sample data and query. Command till mvexpand uri are to generate sample data.

Out of three patterns that you have provided two require string replacement at 4th position and longest one requires it at 6th position (it would have been quite easy if all of them where at 4th position ;)...but that we can only wish !!!).

So the approach I have taken is to
1) split() the uri by forward slash (/).
2) Then count total number of splits using mvcount(). Since there is a slash at the beginning of the string my count was 1 higher than the values. Nevertheless, our objective is to get longest string (i.e. 9 multi-value splits) vs other two smaller ones (i.e. 4 and 5 respectively).
3) Based on the the length set the index for field to be replaced as either 6 (for 9 multivalue splits) and 4 ( for less than 9 splits).
4) Extract the field to be replaced using mvindex(). So if the field to be replaced is abcdxyz1234, set it as /abcdxyz1234/ to be used in final replace command.
5) Make multivalued field as single value using nomv().
**6)** Replace
spaces (\s)created between combined multi-value field byforward slash (/)to make it back as single valueuri`.
7) Use concatenated final replace command to replace the string to be replaced with static string ( "/xyz" in the following example).
Following is the updated run anywhere search. Please try out and confirm.

|  makeresults
|  eval uri="/a/b/c/qFfs3-sds30s-sadsd2-qwewe/d;/a/b/c/12345678/d;/a/b/c/xxxxuyt8908/d;/a/b/c/abcdopi8765/d;/a/b/c/aDfp9-ret43w-poisd2-ewqewq/d/e;/a/b/c/65456374/d/e;/a/b/c/qweropi9089/d/e;/p/q/r/s/t/98765432/u/v/w;/p/q/r/s/t/aTyeu2-pot12y-popui2-abcert/u/v/w"
|  makemv uri delim=";"
|  mvexpand uri
|  eval uri=split(uri,"/")
|  eval url_parts=mvcount(uri)-1
|  eval replace_idx=case(url_parts>=9,6,url_parts<9,4)
|  eval url_replace="/".mvindex(uri,replace_idx)."/"
|  nomv uri
|  eval uri=replace(replace(uri,"\s","/"),url_replace,"/xyz/")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SplunkTrust
SplunkTrust

@gokadroid, what is x that you want to replace in URIs? Is it some static value?
Also 1, 2, 3 ... are these always digits? Is there any other section of URI containing only digits?

How about something like the following eval with replace():

|  makeresults
|  eval uri="/a/b/c/1/d;/a/b/c/2/d;/a/b/c/3/d;/a/b/c/4/d;/a/b/c/1/d/e;/a/b/c/2/d/e;/a/b/c/3/d/e;/p/q/r/s/t/1/u/v/w;/p/q/r/s/t/2/u/v/w"
|  makemv uri delim=";"
|  mvexpand uri
|  eval uri_new=replace(uri,"\/(\d+)\/","/test/")

PS: Command until mvexpand mimics the sample data as per the question.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Motivator

HI NIketnilay,
I will try first one and let you know. However for the second comment-1,2,3 are not digits, nor static. They are an element of the uri which can be anything. Some sample of them are:

qFfs3-sds30s-sadsd2-qwewe
12345678

xxxxuyt8908

The replacement however can be static which we can choose to group them as like xxxx-xxxx-xxx-xxx

0 Karma

SplunkTrust
SplunkTrust

Hi @gokadroid,

Can you please try this one?

| makeresults | eval uri="/a/b/c/1/d" | append [| makeresults | eval uri="/a/b/c/2/d"] | append [| makeresults | eval uri="/a/b/c/1/d/e"] | append [| makeresults | eval uri="/a/b/c/2/d/e"] | append [| makeresults | eval uri="/p/q/r/s/t/1/u/v/w"] | append [| makeresults | eval uri="/p/q/r/s/t/2/u/v/w"] | eval URI = case(like(uri,"/a/b/c/%%/d"),"/a/b/c/x/d",like(uri,"/a/b/c/%%/d/e"),"/a/b/c/x/d/e",like(uri,"/p/q/r/s/t/%%/u/v/w"),"/p/q/r/s/t/x/u/v/w")

Thanks

0 Karma