Splunk Search

Unable to extract complete URL from the below splunk log

mani9059
Engager

Hi Team,

 

I am trying to extract complete URL from the below splunk search i tried many ways can you please help me on this.

Splunk log: 

[2021-04-13 04:36:49.556 GMT] ERROR PipelineCallServlet|116901075255|Search-RemoteShow|PipelineCall|y6j3wsyHh1 custom [] component=Search,routine=Show,errorMessage="Out of stock products",URL=https://www.xyz.com/on/demandware.servlet/Sites-Bull-Site/default/Search-RemoteShow?queryDW=true&cgi...

 

But I am unable to get complete URL as a result , i am getting half of the URL. Can you please help me on this.

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @mani9059,

to help you, I need the complete log to understand which char there is after the URL, so after the URL there's a space, you can try:

| rex "URL\=(?<url>[^ ]+)"

Ciao.

Giuseppe 

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What have you tried so far and what were the results of each attempt?  When you say "I am getting half of the URL", which part are you getting?  I'm guessing it stops at an =.  Please share the props.conf settings for this sourcetype.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mani9059,

to help you, I need the complete log to understand which char there is after the URL, so after the URL there's a space, you can try:

| rex "URL\=(?<url>[^ ]+)"

Ciao.

Giuseppe 

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mani9059,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by al the contributors 😉

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.