Splunk Search

Need help with a regex please. (Defining an action by user)

tengugurl1
Engager

I have a standard printed statement that shows something like this:

[
29/Aug/2024:23:59:48 +0000] "GET /rest/LMNOP
[29/Aug/2024:23:59:48 +0000] "POST /rest/LMNOP
[29/Aug/2024:23:59:48 +0000] "PUT /rest/LMNOP
[29/Aug/2024:23:59:48 +0000] "DELETE /rest/LMNOP

I don't have a defined field called  "ActionTaken" in the sense, was the user doing a put, post or get etc..

Is there a simple regex that would give me something to add to a query that would define a variable called 

"ActionTaken"

tried this:
rex "\//rest/s*(?<ActionTaken>\d{3})" 


But it comes back with nothing 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The existing rex command is searching for 3 digits following "rest", which does not match the sample text.  Try this command

| rex "\\\"(?<method>\w+) \/rest\/(?<ActionTaken>.*)"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

1. Use regex101.com - it's a great tool for testing regexes.

2. Remember to escape backslashes and quotes if you use regex as a sting argument to the rex command.

3. Your regex would match three-digit-long parts of request path after the "//rest/" part (which doesn't appear in yiur events anyway), not the http method.

4. You need something like

| rex "\\]\\s+(?<ActionTaken>\\S+)\\s/"

(If you want to test it on regex101.com, remove extra backslashes)

thx
Explorer

try something like...

| rex field=_raw ".*\/rest\/(?<ActionTaken>\w+)"

richgalloway
SplunkTrust
SplunkTrust

The existing rex command is searching for 3 digits following "rest", which does not match the sample text.  Try this command

| rex "\\\"(?<method>\w+) \/rest\/(?<ActionTaken>.*)"

 

---
If this reply helps you, Karma would be appreciated.

tengugurl1
Engager

May I ask another silly question,
I am getting closer to what I need, if I had the following examples:

/rest/Apple/1.0/
/rest/Banana/2/
/rest/structure/2.0/

How could I define a variable via regex to best tease out whats an apple, banana and or structure

I tried what you provided below but its giving me the full log.
I just need it to show:

 

 

| rex "rest/***/***"(?<method>\w+) \/rest\/(?<ActionTaken>.*)"

AKA Action taken would be equal to apple, banana or structure 

 

Apple 1.0

or Banana 2

structure 2.0.  (TLDR basically anything after rest/*/*/



0 Karma

richgalloway
SplunkTrust
SplunkTrust

Since the new sample events don't have a method field (GET, POST, etc.), we can get rid of that part of the regex.

| rex "\/rest\/(?<field1>[^\/]+)\/(?<field2>.*)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...