Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex query :Help required in writing a pattern

Nicksyboy
Explorer
‎10-17-2013 04:33 PM

I want to use rex to figure out the pattern for a url. The URL looks something like -
text . The other 2 urls are having feel-high and feel-low in the URL, and rest everything is same. I want to figure out the count of their calls in last 60 mins.

I have the logic of calculating the count, and all I need is the rex pattern.

Can you please help me in the matter? Thanks in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-18-2013 12:03 AM

Well, it's always easier to give advice given a few full events to work from. I assume that you want the first part, between the opening parenthesis and the space before 'HTTP/1.1'. Also, I guess that the parenthesis is actually NOT in your event;

your base search | rex "\s(?<url>\S+)\sHTTP/1\..\s" | the rest of your search

Given that this looks like a csv style log (or rather whitespace separated values), you may benefit from using a props/transforms REPORT with FIELDS and DELIMS.

http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio...
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/K

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-18-2013 12:03 AM

Well, it's always easier to give advice given a few full events to work from. I assume that you want the first part, between the opening parenthesis and the space before 'HTTP/1.1'. Also, I guess that the parenthesis is actually NOT in your event;

your base search | rex "\s(?<url>\S+)\sHTTP/1\..\s" | the rest of your search

Given that this looks like a csv style log (or rather whitespace separated values), you may benefit from using a props/transforms REPORT with FIELDS and DELIMS.

http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio...
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

/K

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...