Splunk Search

Is there a way to match this and produce result with both uri_path and api_name?

mikeyty07
Communicator

My Access logs: 
server
 - - [date& time] "GET /google/page1/page1a/633243463476/googlep1 HTTP/1.1200 350 85

rex query:
(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)

Search query with lookup
*some query*
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"
| lookup abc.csv uri_path OUTPUT serviceName apiName

I am using above query to lookup from csv file but not getting any results. In this lookup file i have these fields. apiName is the unique name in this csv file which i am trying to link with the uri_path but not able to do so.

Is there a way to match this and produce result with both uri_path and api_name? can anyone please help me on this?

serviceName uri_path http_method apiName
/google /page1/page1a/633243463476/googlep1 post postusingRRR
Labels (3)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Ah, now you post the real contents, your uri_paths have * in them, which will not match unless you set up a lookup definition (you are just using a lookup file .csv). 

In the lookup definition, you have to add WILDCARD(uri_path) in the Match Type advanced options.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Before your lookup command are you saying you have a data field uri_path with contents "/page1/page1a/633243463476/googlep1" and also in your lookup you have the same field uri_path with the same contents, yet the lookup does not return the apiName or serviceName?

If you believe that is so, then try these two commands

| makeresults
| eval uri_path="/page1/page1a/633243463476/googlep1"
| lookup abc.csv uri_path OUTPUT serviceName apiName

OR

| inputlookup abc.csv where uri_path="/page1/page1a/633243463476/googlep1"

both of these should give you the row from the lookup file.

If not, then the contents of uri_path before the lookup is not that string.

 

0 Karma

mikeyty07
Communicator

Yes. For example, I've data like this in csv file. The numbers are different each time so I am using this unique apiName field to gather how much of calls are going to particular api.

with this search query i am able to see the apiName but when i select only one apiName it stills shows different other uri_path as well

<my search query>
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"| search serviceName="*" | lookup abc.csv serviceName OUTPUT uri_path apiName

serviceNameuri_pathhttp_methodapiName
/google/page1/page1a/*/googlep1postpostusingRRR
/google/page1/page1a/sada/*/googlep1getgetusingep2
/google/pag5/ggg/*/ooopp/ggplrdeletedeleteusing

 

But the two query doesnt seem to work

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Ah, now you post the real contents, your uri_paths have * in them, which will not match unless you set up a lookup definition (you are just using a lookup file .csv). 

In the lookup definition, you have to add WILDCARD(uri_path) in the Match Type advanced options.

 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...