Splunk Search
Highlighted

How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

Explorer

Hello,

I have data in Splunk Cloud which has a path=/api/versions/:version_id where version_id can be anything acceptable in a URL.

I'm trying to write a search that finds and creates a pie chart of the :version_ids over the past 24 hours and past 7 days.

I've tried this search, but it's not returning the right results:

source=/var/log/mylog.log | rex field=path "/api/versions/(?.*)" 

I get results that don't actually match the regex above.

Can anyone point me to some docs so I can get the right usage of the regex and create my dashboard?

Thanks

0 Karma
Highlighted

Re: How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

SplunkTrust
SplunkTrust

Slashes must be escaped and your group is mal-formed. Try this:

... | rex field=path "\/api\/versions\/:(?<version_id>.*)"
---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

Explorer

Thanks for the info. I've adapted my string:

source=/var/log/my.log | rex field=path "\/api\/versions\/:(?.*)"

But it's still matching things like /api/sections/123/items/123

Any ideas?

Note: This box keeps striping out the < version_id >

0 Karma
Highlighted

Re: How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

SplunkTrust
SplunkTrust

There's no way "/api/versions/:" can match "/api/sections/". Perhaps it would help if you shared (anonymized) sample data.

($.*) is not a valid regex construct. Use
(?<versionid>.*).

You can change 'version
id' to any string you want to be the field name to hold matching version IDs.

Indent your code by 4 spaces to preserve backslashes and other formatting characters.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to write a search with the regex to extract strings of URL IDs and create a pie chart with this field?

SplunkTrust
SplunkTrust

Above does works for me and its not matching. See this runanywhere sample search

| gentimes start=-1 | eval path="/api/versions/:version_id /api/versions/api/sections/123/items/123 /api/versions/123/items/123 /api/versions/:version_id /api/sections/123/items/123" | table path | makemv path | mvexpand path | rex field=path "\/api\/versions\/:(?<version_id>.*)" 

Can you post some sample values of field path, including the ones that are not working?

0 Karma