Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to use rex to divide api name?

mikeyty07
Path Finder
‎12-14-2022 01:29 PM

I have an access logs which prints like this
server - - [date& time] "GET /google/page1/page1a/633243463476/googlep1?sc=RT&lo=en_US HTTP/1.1" 200 350 85
which rex is 
| rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<uri_path>\S+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)"

Is there a way to seperate uri into two or 3?

 /google/page1/page1a/633243463476/googlep1?sc=RT&lo=en_US 

TO

 /google
/page1/page1a/633243463476/googlep1?sc=RT&lo=en_US 

OR

/google
/page1/page1a/633243463476/googlep1 
?sc=RT&lo=en_US

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-14-2022 03:09 PM

This will get the 3 parts

(?<uri_root>/[^/]+)(?<uri_path>[^?\s]+)\s?(?<uri_query>\S+)

View solution in original post

Reply
Solved! Jump to solution

mikeyty07
Path Finder
‎12-15-2022 12:08 PM

Thank you worked like a charm, however i used
(?<uri_root>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)
uri_query seemed to give results for Http/1.1

can you also please check this? It is follow up question.
https://community.splunk.com/t5/Splunk-Search/Using-lookup-command-after-rex-field/td-p/624450

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎12-15-2022 02:54 AM

An alternative to regex is to use split, which can be more semantically explicit. (And slightly more efficient.)

Now to using split.  Assuming that you have that field uri.

 

| eval uri = split(uri, "?")
| eval uri_query = "?" . mvindex(uri, 1) ``` ?sc=RT&lo=en_US ```
| eval uri = split(mvindex(uri, 0), "/")
| eval root = "/" . mvindex(uri, 1) ``` /google ```
| eval remainder = "/" . mvjoin(mvindex(uri, 2, -1), "/")

 

This gives

remainderrooturi_query
/page1/page1a/633243463476/googlep1/google?sc=RT&lo=en_US

 

Tags (3)
0 Karma
Reply
Solved! Jump to solution

mikeyty07
Path Finder
‎12-15-2022 10:21 AM

the search didnt give any results, also how do i get results of all the other companies like facebook, twitter?

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-14-2022 03:09 PM

This will get the 3 parts

(?<uri_root>/[^/]+)(?<uri_path>[^?\s]+)\s?(?<uri_query>\S+)
Reply
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...