Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract uri

sandeepmakkena
Contributor
‎10-07-2019 12:36 PM 
/hk-zh/shop/buy-phone/phone-1/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-256gb-%E9%8A%80%E8%89%B2 1059
/hk/shop/buy-phone/phoneSS/5.5-inch-display-128gb-rose-gold 493
/hk-zh/shop/buy-phone/one6/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E7%8E%AB%E7%91%B0%E9%87%91%E8%89%B2   375
/shop/buy-tab/mini-3/128gb-gold-wifi    90
/shop/buy-tab/mini-3/128gb-silver-wifi  90
/hk-zh/shop/buy-phone/phone-sm/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E9%8A%80%E8%89%B2 60
/hk-zh/shop/buy-phone/phone-ap/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E4%BA%AE%E9%BB%91%E8%89%B2    59
/hk-zh/shop/buy-phone/phone-lg/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E5%A4%AA%E7%A9%BA%E7%81%B0    59

I want to extract URL starting from /shop/..... till special char like %E5 something.
Something like this.
/shop/buy-phone/phone-1/5.8
/shop/buy-phone/phoneSS/5.5-inch-display-128gb-rose-gold
/shop/buy-phone/one6/5.5
/shop/buy-tab/mini-3/128gb-gold-wifi
/shop/buy-tab/mini-3/128gb-silver-wifi

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎10-07-2019 12:55 PM

Try the below run anywhere search, 

|makeresults | eval url=split(("/hk-zh/shop/buy-phone/phone-1/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-256gb-%E9%8A%80%E8%89%B2    1059,
/hk/shop/buy-phone/phoneSS/5.5-inch-display-128gb-rose-gold    493,
/hk-zh/shop/buy-phone/one6/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E7%8E%AB%E7%91%B0%E9%87%91%E8%89%B2    375,
/shop/buy-tab/mini-3/128gb-gold-wifi    90,
/shop/buy-tab/mini-3/128gb-silver-wifi    90,
/hk-zh/shop/buy-phone/phone-sm/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E9%8A%80%E8%89%B2    60,
/hk-zh/shop/buy-phone/phone-ap/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E4%BA%AE%E9%BB%91%E8%89%B2    59,
/hk-zh/shop/buy-phone/phone-lg/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E5%A4%AA%E7%A9%BA%E7%81%B0    59"),",")
|mvexpand url
| eval decoded_url=urldecode(url)
| rex field=url "shop(?<ex_url>[a-zA-Z\/\-0-9\.]+)"
| rex field=ex_url mode=sed "s/-$//g"
| eval ex_url="/shop"+ex_url
| table url, decoded_url, ex_url

url- actual url from samples
decoded_url - decoded url using urldecode function.
ex_url - is the extracted url.

Hope this helps you..

Cheers !!!

V

View solution in original post

Reply
Solved! Jump to solution

kiamco
Path Finder
‎10-07-2019 12:57 PM

try something like this 

| your search | rex field=`some_field` "(?<=\/shop)(?<uri>[a-zA-Z-0-9.\/-]+)" | table uri
0 Karma
Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎10-07-2019 12:55 PM

Try the below run anywhere search, 

|makeresults | eval url=split(("/hk-zh/shop/buy-phone/phone-1/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-256gb-%E9%8A%80%E8%89%B2    1059,
/hk/shop/buy-phone/phoneSS/5.5-inch-display-128gb-rose-gold    493,
/hk-zh/shop/buy-phone/one6/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E7%8E%AB%E7%91%B0%E9%87%91%E8%89%B2    375,
/shop/buy-tab/mini-3/128gb-gold-wifi    90,
/shop/buy-tab/mini-3/128gb-silver-wifi    90,
/hk-zh/shop/buy-phone/phone-sm/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E9%8A%80%E8%89%B2    60,
/hk-zh/shop/buy-phone/phone-ap/5.5-%E5%90%8B%E8%9E%A2%E5%B9%95-128gb-%E4%BA%AE%E9%BB%91%E8%89%B2    59,
/hk-zh/shop/buy-phone/phone-lg/5.8-%E5%90%8B%E9%A1%AF%E7%A4%BA%E5%99%A8-64gb-%E5%A4%AA%E7%A9%BA%E7%81%B0    59"),",")
|mvexpand url
| eval decoded_url=urldecode(url)
| rex field=url "shop(?<ex_url>[a-zA-Z\/\-0-9\.]+)"
| rex field=ex_url mode=sed "s/-$//g"
| eval ex_url="/shop"+ex_url
| table url, decoded_url, ex_url

url- actual url from samples
decoded_url - decoded url using urldecode function.
ex_url - is the extracted url.

Hope this helps you..

Cheers !!!

V
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...