Solved: Is there a way to match this and produce result wi...

mikeyty07 · ‎12-15-2022

My Access logs:
server - - [date& time] "GET /google/page1/page1a/633243463476/googlep1 HTTP/1.1" 200 350 85

rex query:
(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)

Search query with lookup
*some query*
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"
| lookup abc.csv uri_path OUTPUT serviceName apiName

I am using above query to lookup from csv file but not getting any results. In this lookup file i have these fields. apiName is the unique name in this csv file which i am trying to link with the uri_path but not able to do so.

Is there a way to match this and produce result with both uri_path and api_name? can anyone please help me on this?

serviceName	uri_path	http_method	apiName
/google	/page1/page1a/633243463476/googlep1	post	postusingRRR

bowesmana · ‎12-18-2022

Ah, now you post the real contents, your uri_paths have * in them, which will not match unless you set up a lookup definition (you are just using a lookup file .csv).

In the lookup definition, you have to add WILDCARD(uri_path) in the Match Type advanced options.

View solution in original post

bowesmana · ‎12-15-2022

Before your lookup command are you saying you have a data field uri_path with contents "/page1/page1a/633243463476/googlep1" and also in your lookup you have the same field uri_path with the same contents, yet the lookup does not return the apiName or serviceName?

If you believe that is so, then try these two commands

| makeresults
| eval uri_path="/page1/page1a/633243463476/googlep1"
| lookup abc.csv uri_path OUTPUT serviceName apiName

OR

| inputlookup abc.csv where uri_path="/page1/page1a/633243463476/googlep1"

both of these should give you the row from the lookup file.

If not, then the contents of uri_path before the lookup is not that string.

mikeyty07 · ‎12-15-2022

Yes. For example, I've data like this in csv file. The numbers are different each time so I am using this unique apiName field to gather how much of calls are going to particular api.

with this search query i am able to see the apiName but when i select only one apiName it stills shows different other uri_path as well

<my search query>
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"| search serviceName="*" | lookup abc.csv serviceName OUTPUT uri_path apiName

serviceName	uri_path	http_method	apiName
/google	/page1/page1a/*/googlep1	post	postusingRRR
/google	/page1/page1a/sada/*/googlep1	get	getusingep2
/google	/pag5/ggg/*/ooopp/ggplr	delete	deleteusing

But the two query doesnt seem to work

bowesmana · ‎12-18-2022

Ah, now you post the real contents, your uri_paths have * in them, which will not match unless you set up a lookup definition (you are just using a lookup file .csv).

In the lookup definition, you have to add WILDCARD(uri_path) in the Match Type advanced options.

Is there a way to match this and produce result with both uri_path and api_name?

fields

lookup

rex

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake