Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a transaction search where startswith starts with event A, while endswith must match a regex

phudinhha
Explorer
‎07-09-2015 11:08 AM

I need to find a sequence of activity that always start with:
http://abc.com/abc.html
http://abc.com/end.xvz?....

so I tried to uses this search query:

index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"^\/\w+\.\w+")

However, the return result is 0 event.

Is there anyway that I can refine it?

Thank you so much

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-09-2015 12:33 PM

Try this:

 index=sourceindex | rex field=url "(?<url_front>[^\?]*)\/(?<url_back>.*)" | transaction url_front maxspan=30s endswith=eval(match(url_back,"end.xyz"))

Actually, you may not even need the endswith part (which I know is wrong because I don't know what you are trying to match exactly).

0 Karma
Reply

phudinhha
Explorer
‎07-09-2015 12:52 PM

I recognized the pattern in network activities like this.

http://123.com/abc.html
http://123.com/end.xvz?....

AND

http://456.com/abc.html
http://456.com/quiz.one?...

So I want to use transaction to look for a sequence of activity that starts with "abc.html" and ends with ""^/w+.w+".

0 Karma
Reply

woodcock
Esteemed Legend
‎07-09-2015 12:56 PM

Your RegEx will never match (even if url has http:// removed). To make it match, use something like this:

 index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"\w+\.\w+\?")
0 Karma
Reply

phudinhha
Explorer
‎07-09-2015 12:22 PM

Dear woodcock,
The return result is 0 event. However, when i omit the "endswith" part, the expected "end.xvz?...." also shows in the event tab as a part of "/abc.html" event. What does it mean?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...