Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Interesting regex

dbcase
Motivator
‎10-15-2018 01:31 PM

Hi,

I have the below data and looking to determine the API call name .

For the first one the name would be

alarmSessions

The follow the same pattern until the 4th one. The API name in that one is

actionTemplate

Also sometimes the /rest/icontrol will be /rest/async/icontrol or /restOperation/(whatever)

Any regex gurus out there that can help with with one??

Thank you!!!

10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.72.114, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/239466/alarmSessions?maxResults=1 HTTP/1.1" 200 360 0 UCT-9178 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 maxResults =   1 timeendpos =  105 timestartpos =  79
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "174.238.30.224, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/async/icontrol/sites/607321/deltas?spsId=55056 HTTP/1.1" 200 1574 0 UCT-1794 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16A366" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 spsId =    55056 timeendpos =  106 timestartpos =  80
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.22.161, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/244140/cmsInfo HTTP/1.1" 200 970 0 UCT-31983 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G935T Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   105 timestartpos =  79
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.5 "107.77.197.229, 10.210.192.5" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/158424/templates/actionTemplates HTTP/1.1" 200 3374 0 UCT-60344 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-N950U Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   104 timestartpos =  78
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.22.161, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/244140/rules HTTP/1.1" 200 1694 0 UCT-131279 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G935T Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   105 timestartpos =  79
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "172.58.73.206, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "POST /rest/icontrol/sites/612724/network/instances/13b0ce18140337362f.1.0/points/isOn?value=false HTTP/1.1" 202 9 0 UCT-37015 "-" "Mozilla/5.0 (Linux; Android 7.1.1; SM-J700T Build/NMF26X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday =  14 date_minute =    59 date_month = october date_second =   59 date_wday =  sunday date_year =  2018 date_zone =    -240 timeendpos =   105 timestartpos =  79 value =  false
10/14/18
6:59:59.000 PM  
"portal.blah.com" 10.210.192.15 "107.77.197.229, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/158424/templates/actionTemplates HTTP/1.1" 200 3374 0 UCT-52230 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-N950U Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-15-2018 03:25 PM

Hi dbcase,

Not that I'm an regex expert 😉 But give this a try, it worked on your provided samples:

 ... | rex "\/(?<myREST>\w+)(?:\?.+|\s)HTTP"

This will give you a field called myREST with values like alarmSessions, isOn or cmsInfo.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎10-15-2018 03:58 PM 
... | rex "sites\/\d+\/(?:templates\/)?(?<APIcall>[^?\s]+)"

Returns these results for APIcall:

Match 1
Group APIcall 160-173 alarmSessions
Match 2
Group APIcall 730-736 deltas
Match 3
Group APIcall 1284-1291 cmsInfo
Match 4
Group APIcall 1863-1878 actionTemplates
Match 5
Group APIcall 2442-2447 rules
Match 6
Group APIcall 3013-3065 network/instances/13b0ce18140337362f.1.0/points/isOn
Match 7
Group APIcall 3667-3682 actionTemplates

Your intro made it look to me like you wanted everything after sites/somenumber except in the 4th you specifically said the result should be actionTemplate so I skipped /templates/. However, you did not say that #6 should be just isOn so I include the longer result for that one. If you wanted just what MuS returned, you are also all set.

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎10-15-2018 03:31 PM

I started with:

| rex "/rest(Operation)?/([^/]+/){4}(?P<thefieldname>[^/? ]+)"

But I don't have enough info on what your trying to match here, I mean if icontrol is always there then:

| rex "/rest(Operation)?/icontrol/([^/ ]+/)+(?P<thefieldname>[^/? ]+)"

Either way I think you need more examples to truly make this work...try those two on https://regex101.com/

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-15-2018 03:25 PM

Hi dbcase,

Not that I'm an regex expert 😉 But give this a try, it worked on your provided samples:

 ... | rex "\/(?<myREST>\w+)(?:\?.+|\s)HTTP"

This will give you a field called myREST with values like alarmSessions, isOn or cmsInfo.

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎10-15-2018 03:24 PM

Try this for GET

 rex field=_raw "GET \W+\w+\S+\d+\W+(?<text>\w+)\?"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...