Splunk Search

Is there a way to match this and produce result with both uri_path and api_name?

mikeyty07
Communicator

My Access logs: 
server
 - - [date& time] "GET /google/page1/page1a/633243463476/googlep1 HTTP/1.1200 350 85

rex query:
(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)

Search query with lookup
*some query*
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"
| lookup abc.csv uri_path OUTPUT serviceName apiName

I am using above query to lookup from csv file but not getting any results. In this lookup file i have these fields. apiName is the unique name in this csv file which i am trying to link with the uri_path but not able to do so.

Is there a way to match this and produce result with both uri_path and api_name? can anyone please help me on this?

serviceName uri_path http_method apiName
/google /page1/page1a/633243463476/googlep1 post postusingRRR
Labels (3)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Ah, now you post the real contents, your uri_paths have * in them, which will not match unless you set up a lookup definition (you are just using a lookup file .csv). 

In the lookup definition, you have to add WILDCARD(uri_path) in the Match Type advanced options.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Before your lookup command are you saying you have a data field uri_path with contents "/page1/page1a/633243463476/googlep1" and also in your lookup you have the same field uri_path with the same contents, yet the lookup does not return the apiName or serviceName?

If you believe that is so, then try these two commands

| makeresults
| eval uri_path="/page1/page1a/633243463476/googlep1"
| lookup abc.csv uri_path OUTPUT serviceName apiName

OR

| inputlookup abc.csv where uri_path="/page1/page1a/633243463476/googlep1"

both of these should give you the row from the lookup file.

If not, then the contents of uri_path before the lookup is not that string.

 

0 Karma

mikeyty07
Communicator

Yes. For example, I've data like this in csv file. The numbers are different each time so I am using this unique apiName field to gather how much of calls are going to particular api.

with this search query i am able to see the apiName but when i select only one apiName it stills shows different other uri_path as well

<my search query>
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"| search serviceName="*" | lookup abc.csv serviceName OUTPUT uri_path apiName

serviceNameuri_pathhttp_methodapiName
/google/page1/page1a/*/googlep1postpostusingRRR
/google/page1/page1a/sada/*/googlep1getgetusingep2
/google/pag5/ggg/*/ooopp/ggplrdeletedeleteusing

 

But the two query doesnt seem to work

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Ah, now you post the real contents, your uri_paths have * in them, which will not match unless you set up a lookup definition (you are just using a lookup file .csv). 

In the lookup definition, you have to add WILDCARD(uri_path) in the Match Type advanced options.

 

Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...