Solved: Re: How to regex the field = "URI path" values by ...

Glasses2 · ‎10-03-2022

Hi, I am b/t a rock and a wall, looking for any suggestion to solved this.

I am using the URL ToolBox to dissect URI "ut_path" into fields separated by "/" characters.

For instance >>>

index=foo  sourcetype="bar" Requested_URI=*
| lookup ut_parse_simple_lookup url AS Requested_URI
| fields ut_* Requested_URI User_ID
| table User_ID RequestUri ut_scheme, ut_netloc, ut_path, ut_query, ut_fragment, ut_params


ut_path =  /a1/f1/f2/f3/4/5
ut_path =  /a1/f1/f2
ut_path =  /a1/f1/f2/f3/f4
ut_path =  /a1/f1/f2/f3

The "ut_path" field has different value paths of varying length, each section (like f1) needs to get extracted into a new field so that I can run stats on it.

Is there a way to auto-extract dynamically, or conditionally?

Thank you!

yuanliu · ‎10-03-2022

Something like

| eval ut_path = split(ut_path, "/")
| foreach 1 2 3 4 5 6 7 8
    [eval path<<FIELD>> = mvindex(ut_path, <<FIELD>>)]

View solution in original post

kamlesh_vaghela · ‎10-04-2022

@Glasses2

Can you please try this?

YOUR_SEARCH
| rex field=ut_path ""\/(?<path>\w+)"" max_match=0 
| mvexpand path 
| streamstats count as path_count by ut_path 
| eval path{path_count}=path | fields - path_count path
|stats values(*) as * by ut_path

My Sample Search :

| makeresults 
| eval _raw="ut_path
/a1/f1/f2/f3/4/5
/a1/f1/f2
/a1/f1/f2/f3/f4
/a1/f1/f2/f3" 
| multikv forceheader=1 
| table ut_path 
| rename comment as "upto this is sample data" 
| rex field=ut_path ""\/(?<path>\w+)"" max_match=0 
| mvexpand path 
| streamstats count as path_count by ut_path 
| eval path{path_count}=path 
| fields - path_count path 
| stats values(*) as * by ut_path

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

yuanliu · ‎10-03-2022

Something like

| eval ut_path = split(ut_path, "/")
| foreach 1 2 3 4 5 6 7 8
    [eval path<<FIELD>> = mvindex(ut_path, <<FIELD>>)]

Glasses2 · ‎10-04-2022

@yuanliu

Thank you! I got it to work, the syntax threw me.

Glasses2 · ‎10-03-2022

I can get what I want with this, but it needs to stop and keep the field<number> according to the count. Currently when it ends it throws it in the last field number.

| rex field=ut_path "(\/(?<Field_1>[\w\d\-\.\+\,\#\!\?]+))?(\/(?<Field_2>[\w\d\-\.\+\,\#\!\?]+))?(\/(?<Field_3>[\w\d\-\.\+\,\#\!\?]+))?(\/(?<Field_4>[\w\d\-\.\+\,\#\!\?]+))?(\/(?<Field_5>[\w\d\-\.\+\,\#\!\?]+))?(\/(?<Field_6>[\w\d\-\.\+\,\#\!\?]+))" 
| table ut_path, Field_*

need a way to get it to say, e.g. if Field_3 is the last value, then stop at Field_3... I know this question is prolly leaning toward rex expertise, but thought I would ask here anyway... ty

Glasses2 · ‎10-03-2022

is there a way to delim each part to a new field?

How to regex the field = "URI path" values by "/" character where the values are varying length?

field extraction

regex

stats

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life