Splunk Search

Is there a way to match this and produce result with both uri_path and api_name?

mikeyty07
Communicator

My Access logs: 
server
 - - [date& time] "GET /google/page1/page1a/633243463476/googlep1 HTTP/1.1200 350 85

rex query:
(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)

Search query with lookup
*some query*
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"
| lookup abc.csv uri_path OUTPUT serviceName apiName

I am using above query to lookup from csv file but not getting any results. In this lookup file i have these fields. apiName is the unique name in this csv file which i am trying to link with the uri_path but not able to do so.

Is there a way to match this and produce result with both uri_path and api_name? can anyone please help me on this?

serviceName uri_path http_method apiName
/google /page1/page1a/633243463476/googlep1 post postusingRRR
Labels (3)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Ah, now you post the real contents, your uri_paths have * in them, which will not match unless you set up a lookup definition (you are just using a lookup file .csv). 

In the lookup definition, you have to add WILDCARD(uri_path) in the Match Type advanced options.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Before your lookup command are you saying you have a data field uri_path with contents "/page1/page1a/633243463476/googlep1" and also in your lookup you have the same field uri_path with the same contents, yet the lookup does not return the apiName or serviceName?

If you believe that is so, then try these two commands

| makeresults
| eval uri_path="/page1/page1a/633243463476/googlep1"
| lookup abc.csv uri_path OUTPUT serviceName apiName

OR

| inputlookup abc.csv where uri_path="/page1/page1a/633243463476/googlep1"

both of these should give you the row from the lookup file.

If not, then the contents of uri_path before the lookup is not that string.

 

0 Karma

mikeyty07
Communicator

Yes. For example, I've data like this in csv file. The numbers are different each time so I am using this unique apiName field to gather how much of calls are going to particular api.

with this search query i am able to see the apiName but when i select only one apiName it stills shows different other uri_path as well

<my search query>
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"| search serviceName="*" | lookup abc.csv serviceName OUTPUT uri_path apiName

serviceNameuri_pathhttp_methodapiName
/google/page1/page1a/*/googlep1postpostusingRRR
/google/page1/page1a/sada/*/googlep1getgetusingep2
/google/pag5/ggg/*/ooopp/ggplrdeletedeleteusing

 

But the two query doesnt seem to work

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Ah, now you post the real contents, your uri_paths have * in them, which will not match unless you set up a lookup definition (you are just using a lookup file .csv). 

In the lookup definition, you have to add WILDCARD(uri_path) in the Match Type advanced options.

 

Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...