Solved: extract field from url skipping the ids

artemdubrov · ‎05-12-2020

i have urls that include numeric ids in the path:

/api/clients/11111/interactions
/api/clients/22222/interactions
/api/clients/33333/profiles

I need to extract service_name field, skipping the ids, ideally:

| service_name              | count |
|---------------------------+-------|
| /api/clients/interactions |     2 |
| /api/clients/profiles     |     1 |

please help

vnravikumar · ‎05-12-2020

Hi

Try this

| makeresults 
| eval url="/api/clients/11111/interactions,/api/clients/22222/interactions,/api/clients/33333/profiles" 
| makemv delim="," url 
| mvexpand url 
| rex mode=sed field=url "s/\/\w+//3" 
| rename url as service_name 
| stats count by service_name

View solution in original post

vnravikumar · ‎05-12-2020

Hi

Try this

| makeresults 
| eval url="/api/clients/11111/interactions,/api/clients/22222/interactions,/api/clients/33333/profiles" 
| makemv delim="," url 
| mvexpand url 
| rex mode=sed field=url "s/\/\w+//3" 
| rename url as service_name 
| stats count by service_name

artemdubrov · ‎05-13-2020

that works exactly as requested, thanks!

i guess my challenge is how to put it inside "field extractor" so I can use the 'service_name' field and all the logic is hidden in that field definition.
https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/ExtractfieldsinteractivelywithIFX

I think I was able to accomplish it by using 'Calculated fields' defined as:
replace(service_name, "/\d+", "")

extract field from url skipping the ids

field extraction

rex

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability