Hi,
I have the below data and looking to determine the API call name .
For the first one the name would be
alarmSessions
The follow the same pattern until the 4th one. The API name in that one is
actionTemplate
Also sometimes the /rest/icontrol will be /rest/async/icontrol or /restOperation/(whatever)
Any regex gurus out there that can help with with one??
Thank you!!!
10/14/18
6:59:59.000 PM
"portal.blah.com" 10.210.192.15 "172.58.72.114, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/239466/alarmSessions?maxResults=1 HTTP/1.1" 200 360 0 UCT-9178 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77" "-" "-"
date_hour = 19 date_mday = 14 date_minute = 59 date_month = october date_second = 59 date_wday = sunday date_year = 2018 date_zone = -240 maxResults = 1 timeendpos = 105 timestartpos = 79
10/14/18
6:59:59.000 PM
"portal.blah.com" 10.210.192.15 "174.238.30.224, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/async/icontrol/sites/607321/deltas?spsId=55056 HTTP/1.1" 200 1574 0 UCT-1794 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16A366" "-" "-"
date_hour = 19 date_mday = 14 date_minute = 59 date_month = october date_second = 59 date_wday = sunday date_year = 2018 date_zone = -240 spsId = 55056 timeendpos = 106 timestartpos = 80
10/14/18
6:59:59.000 PM
"portal.blah.com" 10.210.192.15 "172.58.22.161, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/244140/cmsInfo HTTP/1.1" 200 970 0 UCT-31983 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G935T Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday = 14 date_minute = 59 date_month = october date_second = 59 date_wday = sunday date_year = 2018 date_zone = -240 timeendpos = 105 timestartpos = 79
10/14/18
6:59:59.000 PM
"portal.blah.com" 10.210.192.5 "107.77.197.229, 10.210.192.5" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/158424/templates/actionTemplates HTTP/1.1" 200 3374 0 UCT-60344 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-N950U Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday = 14 date_minute = 59 date_month = october date_second = 59 date_wday = sunday date_year = 2018 date_zone = -240 timeendpos = 104 timestartpos = 78
10/14/18
6:59:59.000 PM
"portal.blah.com" 10.210.192.15 "172.58.22.161, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/244140/rules HTTP/1.1" 200 1694 0 UCT-131279 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-G935T Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday = 14 date_minute = 59 date_month = october date_second = 59 date_wday = sunday date_year = 2018 date_zone = -240 timeendpos = 105 timestartpos = 79
10/14/18
6:59:59.000 PM
"portal.blah.com" 10.210.192.15 "172.58.73.206, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "POST /rest/icontrol/sites/612724/network/instances/13b0ce18140337362f.1.0/points/isOn?value=false HTTP/1.1" 202 9 0 UCT-37015 "-" "Mozilla/5.0 (Linux; Android 7.1.1; SM-J700T Build/NMF26X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
date_hour = 19 date_mday = 14 date_minute = 59 date_month = october date_second = 59 date_wday = sunday date_year = 2018 date_zone = -240 timeendpos = 105 timestartpos = 79 value = false
10/14/18
6:59:59.000 PM
"portal.blah.com" 10.210.192.15 "107.77.197.229, 10.210.192.15" - - [14/Oct/2018:19:59:59 -0400] "GET /rest/icontrol/sites/158424/templates/actionTemplates HTTP/1.1" 200 3374 0 UCT-52230 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SM-N950U Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36" "-" "-"
Hi dbcase,
Not that I'm an regex expert 😉 But give this a try, it worked on your provided samples:
... | rex "\/(?<myREST>\w+)(?:\?.+|\s)HTTP"
This will give you a field called myREST
with values like alarmSessions
, isOn
or cmsInfo
.
Hope this helps ...
cheers, MuS
... | rex "sites\/\d+\/(?:templates\/)?(?<APIcall>[^?\s]+)"
Returns these results for APIcall:
Match 1
Group APIcall
160-173 alarmSessions
Match 2
Group APIcall
730-736 deltas
Match 3
Group APIcall
1284-1291 cmsInfo
Match 4
Group APIcall
1863-1878 actionTemplates
Match 5
Group APIcall
2442-2447 rules
Match 6
Group APIcall
3013-3065 network/instances/13b0ce18140337362f.1.0/points/isOn
Match 7
Group APIcall
3667-3682 actionTemplates
Your intro made it look to me like you wanted everything after sites/somenumber except in the 4th you specifically said the result should be actionTemplate
so I skipped /templates/. However, you did not say that #6 should be just isOn
so I include the longer result for that one. If you wanted just what MuS returned, you are also all set.
I started with:
| rex "/rest(Operation)?/([^/]+/){4}(?P<thefieldname>[^/? ]+)"
But I don't have enough info on what your trying to match here, I mean if icontrol is always there then:
| rex "/rest(Operation)?/icontrol/([^/ ]+/)+(?P<thefieldname>[^/? ]+)"
Either way I think you need more examples to truly make this work...try those two on https://regex101.com/
Hi dbcase,
Not that I'm an regex expert 😉 But give this a try, it worked on your provided samples:
... | rex "\/(?<myREST>\w+)(?:\?.+|\s)HTTP"
This will give you a field called myREST
with values like alarmSessions
, isOn
or cmsInfo
.
Hope this helps ...
cheers, MuS
Try this for GET
rex field=_raw "GET \W+\w+\S+\d+\W+(?<text>\w+)\?"