- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- erex command not working for URL fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using Splunk 6.4.
I am able to extract many fields from my data using erex comand. However, for URL fields, the erex comamand doesnt work.
My events-
1470993728.300 44 81.11.191.113 TCP_REFRESH_HIT/200 9403 GET http://www.fastcompany.com/files/imagecache/rs_145_image/files/gadgets5.jpg emaxwell@buttercupgames.com DIRECT/www.fastcompany.com image/jpeg DEFAULT_CASE-DefaultGroup-Demo_Clients-NONE-NONE-DefaultRouting - http://www.fastcompany.com/
1470947922.609 85 147.213.138.201 TCP_REFRESH_HIT/200 1801 GET http://www.educationworld.com/images2/home/homepage_section_profdev.gif bhussain@buttercupgames.com DIRECT/www.educationworld.com - ALLOW_WBRS-DefaultGroup-Demo_Clients-NONE-NONE-DefaultRouting - http://www.educationworld.com/
I am using the below command -
index="main" | erex domain1 examples="http://www.fastcompany.com/,http://www.educationworld.com/,http://www.lowermybills.com/,http://www.f..." | dedup domain1 | table domain1
This does not give any result.
Is this because of / characters in the URL ? How to solve this ?
Please suggest.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I took your events and ran the query and I'm getting the results. Check this run anywhere sample.
| gentimes start=-1 | eval raw="1470993728.300 44 81.11.191.113 TCP_REFRESH_HIT/200 9403 GET http://www.fastcompany.com/files/imagecache/rs_145_image/files/gadgets5.jpg emaxwell@buttercupgames.com DIRECT/www.fastcompany.com image/jpeg DEFAULT_CASE-DefaultGroup-Demo_Clients-NONE-NONE-DefaultRouting - http://www.fastcompany.com/"; | rename raw as _raw | append [ | gentimes start=-1 | eval raw="1470947922.609 85 147.213.138.201 TCP_REFRESH_HIT/200 1801 GET http://www.educationworld.com/images2/home/homepage_section_profdev.gif bhussain@buttercupgames.com DIRECT/www.educationworld.com - ALLOW_WBRS-DefaultGroup-Demo_Clients-NONE-NONE-DefaultRouting - http://www.educationworld.com/"; | rename raw as _raw ] | erex domain1 examples="http://www.fastcompany.com/,http://www.educationworld.com/,http://www.lowermybills.com/,http://www.fftoday.com/,http://www.adventureindonesia.com/,http://www.puffpastry.com/" | dedup domain1 | table domain1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I took your events and ran the query and I'm getting the results. Check this run anywhere sample.
| gentimes start=-1 | eval raw="1470993728.300 44 81.11.191.113 TCP_REFRESH_HIT/200 9403 GET http://www.fastcompany.com/files/imagecache/rs_145_image/files/gadgets5.jpg emaxwell@buttercupgames.com DIRECT/www.fastcompany.com image/jpeg DEFAULT_CASE-DefaultGroup-Demo_Clients-NONE-NONE-DefaultRouting - http://www.fastcompany.com/"; | rename raw as _raw | append [ | gentimes start=-1 | eval raw="1470947922.609 85 147.213.138.201 TCP_REFRESH_HIT/200 1801 GET http://www.educationworld.com/images2/home/homepage_section_profdev.gif bhussain@buttercupgames.com DIRECT/www.educationworld.com - ALLOW_WBRS-DefaultGroup-Demo_Clients-NONE-NONE-DefaultRouting - http://www.educationworld.com/"; | rename raw as _raw ] | erex domain1 examples="http://www.fastcompany.com/,http://www.educationworld.com/,http://www.lowermybills.com/,http://www.fftoday.com/,http://www.adventureindonesia.com/,http://www.puffpastry.com/" | dedup domain1 | table domain1
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
