Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to regex the field = "URI path" values by "/" character where the values are varying length?

Glasses2
Communicator
‎10-03-2022 06:38 AM

Hi, I am b/t a rock and a wall, looking for any suggestion to solved this.

 

I am using the URL ToolBox to dissect URI "ut_path" into fields separated by "/" characters.

For instance >>> 

 

 

index=foo  sourcetype="bar" Requested_URI=*
| lookup ut_parse_simple_lookup url AS Requested_URI
| fields ut_* Requested_URI User_ID
| table User_ID RequestUri ut_scheme, ut_netloc, ut_path, ut_query, ut_fragment, ut_params


ut_path =  /a1/f1/f2/f3/4/5
ut_path =  /a1/f1/f2
ut_path =  /a1/f1/f2/f3/f4
ut_path =  /a1/f1/f2/f3

 

 

 

The "ut_path" field has different value paths of varying length, each section (like f1) needs to get extracted into a new field so that I can run stats on it.   

Is there a way to auto-extract dynamically, or conditionally?

Thank you!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-03-2022 08:54 PM

Something like

| eval ut_path = split(ut_path, "/")
| foreach 1 2 3 4 5 6 7 8
    [eval path<<FIELD>> = mvindex(ut_path, <<FIELD>>)]

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-04-2022 06:29 AM

@Glasses2 

Can you please try this?

YOUR_SEARCH
| rex field=ut_path ""\/(?<path>\w+)"" max_match=0 
| mvexpand path 
| streamstats count as path_count by ut_path 
| eval path{path_count}=path | fields - path_count path
|stats values(*) as * by ut_path

 

My Sample Search :

| makeresults 
| eval _raw="ut_path
/a1/f1/f2/f3/4/5
/a1/f1/f2
/a1/f1/f2/f3/f4
/a1/f1/f2/f3" 
| multikv forceheader=1 
| table ut_path 
| rename comment as "upto this is sample data" 
| rex field=ut_path ""\/(?<path>\w+)"" max_match=0 
| mvexpand path 
| streamstats count as path_count by ut_path 
| eval path{path_count}=path 
| fields - path_count path 
| stats values(*) as * by ut_path

Screenshot 2022-10-04 at 6.59.21 PM.png

 

I hope this will help you.

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎10-03-2022 08:54 PM

Something like

| eval ut_path = split(ut_path, "/")
| foreach 1 2 3 4 5 6 7 8
    [eval path<<FIELD>> = mvindex(ut_path, <<FIELD>>)]
Tags (1)
Reply
Solved! Jump to solution

Glasses2
Communicator
‎10-04-2022 06:13 AM

@yuanliu 

Thank you! I got it to work, the syntax threw me.

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎10-03-2022 07:45 AM

I can get what I want with this, but it needs to stop and keep the field<number> according to the count.  Currently when it ends it throws it in the last field number.

 

| rex field=ut_path "(\/(?<Field_1>[\w\d\-\.\+\,\#\!\?]+))?(\/(?<Field_2>[\w\d\-\.\+\,\#\!\?]+))?(\/(?<Field_3>[\w\d\-\.\+\,\#\!\?]+))?(\/(?<Field_4>[\w\d\-\.\+\,\#\!\?]+))?(\/(?<Field_5>[\w\d\-\.\+\,\#\!\?]+))?(\/(?<Field_6>[\w\d\-\.\+\,\#\!\?]+))" 
| table ut_path, Field_*

 

 

need a way to get it to say, e.g. if Field_3 is the last value, then stop at Field_3...   I know this question is prolly leaning toward rex expertise, but thought I would ask here anyway... ty

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎10-03-2022 04:28 PM

is there a way to delim each part to a new field?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...