How to write a regular expression to extract and c...

macadminrohit · ‎01-29-2018

Hi,

I am trying to analyse the Apache web access logs for the below textpayload:

IP -- [Date +0000] "POST /PATH/URI/ HTTP/1.1" 200 1.599 0 "https://URL/to/PAGES.html" "Mozilla/5.0 (

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0" "IP, IP" Correlation-ID="10 Digit number"

Basically, I want to get a number of calls per URL. Here calls are "https://URL/to/PAGES.html" and URL is /PATH/URI/ HTTP/1.1 , Any help is highly appreciated.

thanks

msivill_splunk · ‎01-30-2018

Below is an example to get you going....

| makeresults count=2 
| streamstats count 
| eval _raw = CASE ( count=1,"IP -- [Date +0000] \"POST /PATH/URI/ HTTP/1.1\" 200 1.599 0 \"https://URL/to/PAGES.html\" \"Mozilla/5.0 ( Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0\" \"IP, IP\" Correlation-ID=\"10 Digit number\"", count=2,"IP -- [Date +0000] \"POST /PATH/URI/ HTTP/1.1\" 200 1.599 0 \"https://URL/to/PAGES2.html\" \"Mozilla/5.0 (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0\" \"IP, IP\" Correlation-ID=\"10 Digit number\"") 
| rex field=_raw "[^\"]*\"[^\"]*\"[^\"]*\"(?<url>[^\"]*)" 
| stats count by url

You might also want to consider looking at Splunk Add-on for Apache Web Server which contains pre-canned fields extractions for apache logs

How to write a regular expression to extract and count the number of calls per URL from Apache web access logs?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation