Splunk Search

Wildcard in middle of search string

shabdadev
Engager

Hi all ,
I have this query

  index=ihs host=losat  sourcetype=ih  ( URLRedefined="/wcs/resources/products/*/credit/fin/v1\?brand=*" OR URLRedefined="/webapp/wcs/OrderItem\?orderId=*")
 | eval URL=case(match(URLRedefined,"/wcs/resources/products/*/credit/fin/v1\?brand=*"),"/wcs/resources/products/*/credit/fin/v1?brand=*",
match(URLRedefined,"/webapp/wcs/OrderItem\?orderId=*"),"/webapp/wcs/OrderItem?orderId=*"  )
         | stats count perc95(ResponseTime)  by URL 

While running i am getting the stats for the orderitem url but for credit/fin url ..no stats are coming even though data is there for that .

I can see one msg in job section:

Unified Search: The term 'URLRedefined="/wcs/resources/products//credit/fin/v1\?brand="' contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation.

How to resolve this ??

Tags (1)
0 Karma

koshyk
Super Champion

When I tested with below examples, it worked

For brand

|makeresults | eval URLRedefined="/wcs/resources/products/aaaaaaaaa/credit/fin/v1?brand=hello_world"  
| eval URL=case(match(URLRedefined,"/wcs/resources/products/.*/credit/fin/v1\?brand="),"/wcs/resources/products/*/credit/fin/v1?brand=*",    match(URLRedefined,"/webapp/wcs/OrderItem\?orderId=*"),"/webapp/wcs/OrderItem?orderId=*"  )
| table URLRedefined,URL

For Order item

|makeresults | eval URLRedefined="/webapp/wcs/OrderItem?orderId=12345"  
| eval URL=case(match(URLRedefined,"/wcs/resources/products/.*/credit/fin/v1\?brand="),"/wcs/resources/products/*/credit/fin/v1?brand=*",   match(URLRedefined,"/webapp/wcs/OrderItem\?orderId=.*"),"/webapp/wcs/OrderItem?orderId=*"  )| table URLRedefined,URL

The only change, I've done is to use ".*" in the match expression.

0 Karma

niketn
Legend

@shabdadev, you might have to read about match() function again(http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#match.28SUBJ...). Match performs a regular expression based pattern match. So, if you are familiar with Regular Expressions you can create pattern matches accordingly.

Following is a run anywhere search to make you understand RegEx based pattern matching.

| makeresults
| eval URLRedefined="/wcs/resources/products/blah1/blah2/credit/fin/v1?brand=blah1blah2"
| eval URL=case(match(URLRedefined,"/wcs/resources/products/*/credit/fin/v1\?brand=*"),"\/wcs\/resources\/products\/.*\/credit\/fin\/v1\?brand=.*",true(),"UnknownURL"

While I have taken one random URLRedefined example similar to credit URL you are interested in, you will have access to actual sample and complete data set. Please use regex101 to come up with exact regular expressions and test the same prior to applying the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

shabdadev
Engager

Hi Niket Thanks for the response...
I think while parsing the match function it was not able to parse asterisk because it was embedded between 2 forward slashes .......i used escape characters in front of the forward slashes and asterisk and it worked . Still i am not sure why . (dot) is used as escape character for asterisk ??

eval URL=case(match(URLRedefined,"/wcs/resources/products\/.* \/credit/fin/v1\?brand=*")

The link which you provided , i allready went through it but in what situations what all escape characters are used is not mentioned there .

0 Karma

niketn
Legend

@shabdadev, I think you are confusing between escape character and Regular Expression,

Dot (.) in Regular expression means pick anything and asterisk (*) will mean repeat n number or time until next pattern is found. RegEx101 towards bottom right section will also give you an idea about Regular Expressions however, I would say better understand that in depth as Regular Expressions will be used for pattern matching in several places and in several Splunk commands/Field Extractions.

If the comment has helped you resolve the issue. I will convert to answer. Please accept to close the same unless you have any other clarifications.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@shabdadev, please accept the answer if it helped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@shabdadev, for the following URL "/wcs/resources/products/*/credit/fin/v1\?brand=*", does asterisk() represent wildcard or is asterisk() part of the raw data itself?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

shabdadev
Engager

asterisk() * is wildcard which i want to use to take in account all values/data which comes in between the both forward slashes

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...