Splunk Search

Interesting regex

dbcase
Motivator

Hi,

I have the below data and looking to determine the API call name .

For the first one the name would be

alarmSessions

The follow the same pattern until the 4th one. The API name in that one is

actionTemplate

Also sometimes the /rest/icontrol will be /rest/async/icontrol or /restOperation/(whatever)

Any regex gurus out there that can help with with one??

Thank you!!!

10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.72.114, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/239466/alarmSessions?maxResults=1 HTTP/1.1" 200 360 0 UCT-9178 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 maxResults =   1 timeendpos =  105 timestartpos =  79
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "174.238.30.224, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/async/icontrol/sites/607321/deltas?spsId=55056 HTTP/1.1" 200 1574 0 UCT-1794 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16A366" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 spsId =    55056 timeendpos =  106 timestartpos =  80
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.22.161, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/244140/cmsInfo HTTP/1.1" 200 970 0 UCT-31983 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G935T Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   105 timestartpos =  79
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.5 "107.77.197.229, 10.210.192.5" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/158424/templates/actionTemplates HTTP/1.1" 200 3374 0 UCT-60344 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-N950U Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   104 timestartpos =  78
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.22.161, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/244140/rules HTTP/1.1" 200 1694 0 UCT-131279 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G935T Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   105 timestartpos =  79
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.73.206, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "POST /rest/icontrol/sites/612724/network/instances/13b0ce18140337362f.1.0/points/isOn?value=false HTTP/1.1" 202 9 0 UCT-37015 "-" "Mozilla/5.0 (Linux; Android 7.1.1; SM-J700T Build/NMF26X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   105 timestartpos =  79 value =  false
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "107.77.197.229, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/158424/templates/actionTemplates HTTP/1.1" 200 3374 0 UCT-52230 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-N950U Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi dbcase,

Not that I'm an regex expert 😉 But give this a try, it worked on your provided samples:

 ... | rex "\/(?<myREST>\w+)(?:\?.+|\s)HTTP"

This will give you a field called myREST with values like alarmSessions, isOn or cmsInfo.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

wrangler2x
Motivator
... | rex "sites\/\d+\/(?:templates\/)?(?<APIcall>[^?\s]+)"

Returns these results for APIcall:

Match 1
Group APIcall 160-173 alarmSessions
Match 2
Group APIcall 730-736 deltas
Match 3
Group APIcall 1284-1291 cmsInfo
Match 4
Group APIcall 1863-1878 actionTemplates
Match 5
Group APIcall 2442-2447 rules
Match 6
Group APIcall 3013-3065 network/instances/13b0ce18140337362f.1.0/points/isOn
Match 7
Group APIcall 3667-3682 actionTemplates

Your intro made it look to me like you wanted everything after sites/somenumber except in the 4th you specifically said the result should be actionTemplate so I skipped /templates/. However, you did not say that #6 should be just isOn so I include the longer result for that one. If you wanted just what MuS returned, you are also all set.

0 Karma

gjanders
SplunkTrust
SplunkTrust

I started with:

| rex "/rest(Operation)?/([^/]+/){4}(?P<thefieldname>[^/? ]+)"

But I don't have enough info on what your trying to match here, I mean if icontrol is always there then:

| rex "/rest(Operation)?/icontrol/([^/ ]+/)+(?P<thefieldname>[^/? ]+)"

Either way I think you need more examples to truly make this work...try those two on https://regex101.com/

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi dbcase,

Not that I'm an regex expert 😉 But give this a try, it worked on your provided samples:

 ... | rex "\/(?<myREST>\w+)(?:\?.+|\s)HTTP"

This will give you a field called myREST with values like alarmSessions, isOn or cmsInfo.

Hope this helps ...

cheers, MuS

0 Karma

Vijeta
Influencer

Try this for GET

 rex field=_raw "GET \W+\w+\S+\d+\W+(?<text>\w+)\?"
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...