Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

parse query string parameters

nmarun
Explorer
‎06-18-2020 04:21 AM

Our logs will have urls logged in the below manner:

/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&purpose=Billing&pageNumber=1&pageSize=10

These query string params have default values in the API, so they may not all be present in each of the log entries.

https://regex101.com/r/5Ynk4f/1

This is what I've got so far. I need to write in a tabular format:

includeContactsshowOnlyPrimarySitespurposecount
truetruebilling30
falsefalse 50


Thanks

Arun

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 06:51 AM

So, this will get your URL parameters into their own fields with their respective values.

| makeresults 
| eval url="url=/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&pageNumber=1&pageSize=10" 
| rex field=url max_match=0 "[\?\&](?<params>[^=]+)=(?<values>[^&]+)" 
| eval params=mvzip(params,values) 
| mvexpand params 
| eval params=split(params,",") 
| eval param=mvindex(params,0), {param}=mvindex(params,1)
| fields - param values params 
| stats values(*) as * by url

After that, what you will end up with is a stats command that groups by an unknown set of fields.  That is not possible.  The by clause of stats must be a list of field names, not a wildcard.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 05:25 AM
What is your question? You appear to have the URL parsed already. If you need additional parsing, check out the URLToolbox app on splunkbase.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

nmarun
Explorer
‎06-18-2020 06:22 AM

@richgalloway,

How to render it into a table after parsing?

eval url="url=/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&pageNumber=1&pageSize=10"
|rex field=url max_match=0 "[\?\&](?<params>[^=]+)=(?<values>[^&]+)"| stats count by params

The highlighted part is what I'm trying to figure out.

Thanks

Arun

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 06:51 AM

So, this will get your URL parameters into their own fields with their respective values.

| makeresults 
| eval url="url=/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&pageNumber=1&pageSize=10" 
| rex field=url max_match=0 "[\?\&](?<params>[^=]+)=(?<values>[^&]+)" 
| eval params=mvzip(params,values) 
| mvexpand params 
| eval params=split(params,",") 
| eval param=mvindex(params,0), {param}=mvindex(params,1)
| fields - param values params 
| stats values(*) as * by url

After that, what you will end up with is a stats command that groups by an unknown set of fields.  That is not possible.  The by clause of stats must be a list of field names, not a wildcard.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

nmarun
Explorer
‎06-18-2020 07:14 AM

@richgalloway,

Yes, that's my question - is there a way to split the params and values array so I run stats on them?

Thanks,

Aru

0 Karma
Reply
Solved! Jump to solution

nmarun
Explorer
‎06-18-2020 07:16 AM

@richgalloway, Thanks so much sir.

Arun

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...