Hi all
I am using following SPL to loop through HTTP Request data in order to extract fields and values and I have 2 issues marked in bold. Streamstats custom count for 25 does not work and Splunk does not work well with renaming values inside normal and curly brackets / here market with *. Can anybody help please?
Sample Data:
Method:::GET###URI:::favicon.ico ###HTTP Version:::1.1###Host:::s.noname.com###X-Real-IP:::12.12.5.1###X-Forwarded-For:::12.9.5.221###X-Forwarded-Proto:::https###X-Forwarded-Port:::443###X-Forwarded-Host:::s.noname.com###User-Agent:::Mozilla/5.0 (Linux; Android 10; ) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/12.0.3904.102 nonameBrowser/10.1.0.300 Mobile Safari/531.36###Accept:::image/webp,image/apng,image/*,*/*;q=0.2###Sec-Fetch-Site:::same-origin###Sec-Fetch-Mode:::no-cors###Referer:::https://s.noname.com/app/home###Accept-Encoding:::gzip, deflate###Accept-Language:::tr-TR,tr;q=0.9,en-US;q=0.2,en;q=0.1###Cookie:::NEW_nonameSearch_s__noname_com=1f3e090555524aecc1ce912; NEWts_nonameSearch_s_cloud_noname_com=152224319; HW_refts_nonameSearch_s_cloud_noname_com=1522243515550; APP_LANG=tr-tr; APP_REGION=te; IO_ts__s_cloud_noname_com=15933020425; NEWvc_nonameSearch_s_cloud_noname_com=5; IO_viewts_nonameSearch_s_cloud_noname_com=159143313###
SPL:
| streamstats count(25) AS n
| eval n = n-1
| eval f=split(RequestContent, "###")
| eval f{n}=mvindex(f, {n}) /*
| eval fs=split(f{n},":::") /*
| eval f{n}V= trim(mvindex(fs, 1))
| eval f{n}H= mvindex(fs, 0)
| eval {f{n}H} = f{n}V /*
