Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rex query :Help required in writing a pattern
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to use rex to figure out the pattern for a url. The URL looks something like -
text . The other 2 urls are having feel-high and feel-low in the URL, and rest everything is same. I want to figure out the count of their calls in last 60 mins.
I have the logic of calculating the count, and all I need is the rex pattern.
Can you please help me in the matter? Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, it's always easier to give advice given a few full events to work from. I assume that you want the first part, between the opening parenthesis and the space before 'HTTP/1.1'. Also, I guess that the parenthesis is actually NOT in your event;
your base search | rex "\s(?<url>\S+)\sHTTP/1\..\s" | the rest of your search
Given that this looks like a csv style log (or rather whitespace separated values), you may benefit from using a props/transforms REPORT with FIELDS and DELIMS.
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio...
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, it's always easier to give advice given a few full events to work from. I assume that you want the first part, between the opening parenthesis and the space before 'HTTP/1.1'. Also, I guess that the parenthesis is actually NOT in your event;
your base search | rex "\s(?<url>\S+)\sHTTP/1\..\s" | the rest of your search
Given that this looks like a csv style log (or rather whitespace separated values), you may benefit from using a props/transforms REPORT with FIELDS and DELIMS.
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio...
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/K
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
