Splunk Search

Is there a way to match this and produce result with both uri_path and api_name?

mikeyty07
Communicator

My Access logs: 
server
 - - [date& time] "GET /google/page1/page1a/633243463476/googlep1 HTTP/1.1200 350 85

rex query:
(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)

Search query with lookup
*some query*
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"
| lookup abc.csv uri_path OUTPUT serviceName apiName

I am using above query to lookup from csv file but not getting any results. In this lookup file i have these fields. apiName is the unique name in this csv file which i am trying to link with the uri_path but not able to do so.

Is there a way to match this and produce result with both uri_path and api_name? can anyone please help me on this?

serviceName uri_path http_method apiName
/google /page1/page1a/633243463476/googlep1 post postusingRRR
Labels (3)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Ah, now you post the real contents, your uri_paths have * in them, which will not match unless you set up a lookup definition (you are just using a lookup file .csv). 

In the lookup definition, you have to add WILDCARD(uri_path) in the Match Type advanced options.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Before your lookup command are you saying you have a data field uri_path with contents "/page1/page1a/633243463476/googlep1" and also in your lookup you have the same field uri_path with the same contents, yet the lookup does not return the apiName or serviceName?

If you believe that is so, then try these two commands

| makeresults
| eval uri_path="/page1/page1a/633243463476/googlep1"
| lookup abc.csv uri_path OUTPUT serviceName apiName

OR

| inputlookup abc.csv where uri_path="/page1/page1a/633243463476/googlep1"

both of these should give you the row from the lookup file.

If not, then the contents of uri_path before the lookup is not that string.

 

0 Karma

mikeyty07
Communicator

Yes. For example, I've data like this in csv file. The numbers are different each time so I am using this unique apiName field to gather how much of calls are going to particular api.

with this search query i am able to see the apiName but when i select only one apiName it stills shows different other uri_path as well

<my search query>
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"| search serviceName="*" | lookup abc.csv serviceName OUTPUT uri_path apiName

serviceNameuri_pathhttp_methodapiName
/google/page1/page1a/*/googlep1postpostusingRRR
/google/page1/page1a/sada/*/googlep1getgetusingep2
/google/pag5/ggg/*/ooopp/ggplrdeletedeleteusing

 

But the two query doesnt seem to work

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Ah, now you post the real contents, your uri_paths have * in them, which will not match unless you set up a lookup definition (you are just using a lookup file .csv). 

In the lookup definition, you have to add WILDCARD(uri_path) in the Match Type advanced options.

 

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...