Splunk Search

Need help with a regex please. (Defining an action by user)

tengugurl1
Engager

I have a standard printed statement that shows something like this:

[
29/Aug/2024:23:59:48 +0000] "GET /rest/LMNOP
[29/Aug/2024:23:59:48 +0000] "POST /rest/LMNOP
[29/Aug/2024:23:59:48 +0000] "PUT /rest/LMNOP
[29/Aug/2024:23:59:48 +0000] "DELETE /rest/LMNOP

I don't have a defined field called  "ActionTaken" in the sense, was the user doing a put, post or get etc..

Is there a simple regex that would give me something to add to a query that would define a variable called 

"ActionTaken"

tried this:
rex "\//rest/s*(?<ActionTaken>\d{3})" 


But it comes back with nothing 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The existing rex command is searching for 3 digits following "rest", which does not match the sample text.  Try this command

| rex "\\\"(?<method>\w+) \/rest\/(?<ActionTaken>.*)"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

1. Use regex101.com - it's a great tool for testing regexes.

2. Remember to escape backslashes and quotes if you use regex as a sting argument to the rex command.

3. Your regex would match three-digit-long parts of request path after the "//rest/" part (which doesn't appear in yiur events anyway), not the http method.

4. You need something like

| rex "\\]\\s+(?<ActionTaken>\\S+)\\s/"

(If you want to test it on regex101.com, remove extra backslashes)

thx
Explorer

try something like...

| rex field=_raw ".*\/rest\/(?<ActionTaken>\w+)"

richgalloway
SplunkTrust
SplunkTrust

The existing rex command is searching for 3 digits following "rest", which does not match the sample text.  Try this command

| rex "\\\"(?<method>\w+) \/rest\/(?<ActionTaken>.*)"

 

---
If this reply helps you, Karma would be appreciated.

tengugurl1
Engager

May I ask another silly question,
I am getting closer to what I need, if I had the following examples:

/rest/Apple/1.0/
/rest/Banana/2/
/rest/structure/2.0/

How could I define a variable via regex to best tease out whats an apple, banana and or structure

I tried what you provided below but its giving me the full log.
I just need it to show:

 

 

| rex "rest/***/***"(?<method>\w+) \/rest\/(?<ActionTaken>.*)"

AKA Action taken would be equal to apple, banana or structure 

 

Apple 1.0

or Banana 2

structure 2.0.  (TLDR basically anything after rest/*/*/



0 Karma

richgalloway
SplunkTrust
SplunkTrust

Since the new sample events don't have a method field (GET, POST, etc.), we can get rid of that part of the regex.

| rex "\/rest\/(?<field1>[^\/]+)\/(?<field2>.*)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...