Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search an endpoint ending with numbers

newtosplunk14
Explorer
‎08-06-2021 12:15 AM

I want to search for endpoints  /api/work/12345678 i.e api/work/(8 digt number). My below query gives me all the three endpoint in the logs. I just only want the ones that are  /api/work/12345678. 

Search Query - cf_app_name="preval" cf_space_name="prod" msg="*/api/jobs/*" 

My logs contain

msgabc - [2021-08-06T06:49:11.529+0000] "GET /api/work/12345678/data HTTP/1.1" 200 0 407 "-" "Java/1.8.0_222"

msgabc - [2021-08-06T06:49:11.529+0000] "GET /api/work/12345678 HTTP/1.1"  200 0 407 "-" "Java/1.8.0_222"

msgabc - [2021-08-06T06:49:11.529+0000] "GET /api/work/12345678/photo HTTP/1.1" 200 0 407 "-" "Java/1.8.0_222"

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎08-06-2021 02:22 AM

@newtosplunk14  try this

cf_app_name="preval" cf_space_name="prod" | regex uri="\/api\/work\/\d+$"

View solution in original post

Reply
Solved! Jump to solution

newtosplunk14
Explorer
‎08-06-2021 05:56 AM

Thanks heaps @venkatasri  and @ITWhisperer . both your solutions worked brilliantly!

0 Karma
Reply
Solved! Jump to solution

newtosplunk14
Explorer
‎08-06-2021 02:16 AM

Thanks for your response Venkatasri. I tried but still returns all the events. I want the query to return one the first event in my log below.

my log is as below. 

msg: timestamp="2021-08-06T08:55:56.091Z", local_host="3deb5c54-c5f9-446d-6136-89ee", status="200", remote_host="70.132.29.36", client_id="7012430", subject_id="NO_SUBJECT_ID", service_access_id="ACCESS_USER", billing_event_sent="false", execution_time="3", uri="/api/work/16898540", app_env="prod", usage_log="preval"

msg: timestamp="2021-08-06T08:55:56.091Z", local_host="3deb5c54-c5f9-446d-6136-89ee", status="200", remote_host="70.132.29.36", client_id="7012430", subject_id="NO_SUBJECT_ID", service_access_id="ACCESS_USER", billing_event_sent="false", execution_time="3", uri="/api/work/16898540/data", app_env="prod", usage_log="preval"

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎08-06-2021 02:22 AM

@newtosplunk14  try this

cf_app_name="preval" cf_space_name="prod" | regex uri="\/api\/work\/\d+$"
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2021 02:21 AM 
cf_app_name="preval" cf_space_name="prod" | regex "uri=\"\/api\/work\/\d+\""
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2021 01:22 AM

If msg is a field which is already extracted, you can use this - note the \s in the pattern to terminate the URI

cf_app_name="preval" cf_space_name="prod" | regex msg="\/api\/work\/\d+\s"
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎08-06-2021 12:30 AM

Hi @newtosplunk14 

Try this,

cf_app_name="preval" cf_space_name="prod" | regex "\/api\/work\/\d+"

--

An upvote would be appreciated and Accept solution if this reply helps! 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...