Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex for capturing multiple values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to capture all query string names (but not values as a list). I tried the below expression but i think it is capturing only the first one but not the rest. Any help is appreciated
rex field=uri "\?(?
Below is an example event.
GET /Ntt-valve+Butterfly+Valves,?L1=Butterfly+Valves%25252C&L2=Stainless-Steel&Ndr=textsearchesinbase%252Btrue&operator=prodIndexRefinementSearch&originalValue=valve&sst=All
So i need
L1
L2
Ndr
operator
originalValue
sst
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf
[yoursourcetype]
KV_MODE=auto
this is the default... so you really should be seeing all the fields from all the queries auto extracted.
As Shane is getting at... if you want to do it deliberately, it looks like you have a very clear delimiter pattern where KEY is prefixed with an ampersand, value is prefixed with an equals sign. The exception is the first one which you could handle separately.
There are two places you want to look to understand what we're thinking.
At the config level - take a look HERE http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf
and search for "DELIM" and if you want to do it inline... then look at the various ways of handling DELIMs
here http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf
[yoursourcetype]
KV_MODE=auto
this is the default... so you really should be seeing all the fields from all the queries auto extracted.
As Shane is getting at... if you want to do it deliberately, it looks like you have a very clear delimiter pattern where KEY is prefixed with an ampersand, value is prefixed with an equals sign. The exception is the first one which you could handle separately.
There are two places you want to look to understand what we're thinking.
At the config level - take a look HERE http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf
and search for "DELIM" and if you want to do it inline... then look at the various ways of handling DELIMs
here http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/CommonEvalFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on the above example:
rex field=uri "L1\=(?<L1>[\w\+\:\;\%\.]+)\&L2\=(?<L2>[\w\+\:\;\%\.]+)\&Ndr\=(?<Ndr>[\w\+\:\;\%\.]+)\&operator\=(?<operator>[\w\+\:\;\%\.]+)\&originalValue\=(?<originalValue>[\w\+\:\;\%\.]+)\&sst\=?<sst>\w+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are all of the parameter names prefixed with a &?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi the event i gave is just an example. Those parameter names would be different across different urls. So it won't work for all the urls
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
