Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

parse query string parameters

nmarun
Explorer
‎06-18-2020 04:21 AM

Our logs will have urls logged in the below manner:

/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&purpose=Billing&pageNumber=1&pageSize=10

These query string params have default values in the API, so they may not all be present in each of the log entries.

https://regex101.com/r/5Ynk4f/1

This is what I've got so far. I need to write in a tabular format:

includeContactsshowOnlyPrimarySitespurposecount
truetruebilling30
falsefalse 50


Thanks

Arun

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 06:51 AM

So, this will get your URL parameters into their own fields with their respective values.

| makeresults 
| eval url="url=/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&pageNumber=1&pageSize=10" 
| rex field=url max_match=0 "[\?\&](?<params>[^=]+)=(?<values>[^&]+)" 
| eval params=mvzip(params,values) 
| mvexpand params 
| eval params=split(params,",") 
| eval param=mvindex(params,0), {param}=mvindex(params,1)
| fields - param values params 
| stats values(*) as * by url

After that, what you will end up with is a stats command that groups by an unknown set of fields.  That is not possible.  The by clause of stats must be a list of field names, not a wildcard.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 05:25 AM
What is your question? You appear to have the URL parsed already. If you need additional parsing, check out the URLToolbox app on splunkbase.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

nmarun
Explorer
‎06-18-2020 06:22 AM

@richgalloway,

How to render it into a table after parsing?

eval url="url=/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&pageNumber=1&pageSize=10"
|rex field=url max_match=0 "[\?\&](?<params>[^=]+)=(?<values>[^&]+)"| stats count by params

The highlighted part is what I'm trying to figure out.

Thanks

Arun

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2020 06:51 AM

So, this will get your URL parameters into their own fields with their respective values.

| makeresults 
| eval url="url=/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&pageNumber=1&pageSize=10" 
| rex field=url max_match=0 "[\?\&](?<params>[^=]+)=(?<values>[^&]+)" 
| eval params=mvzip(params,values) 
| mvexpand params 
| eval params=split(params,",") 
| eval param=mvindex(params,0), {param}=mvindex(params,1)
| fields - param values params 
| stats values(*) as * by url

After that, what you will end up with is a stats command that groups by an unknown set of fields.  That is not possible.  The by clause of stats must be a list of field names, not a wildcard.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

nmarun
Explorer
‎06-18-2020 07:14 AM

@richgalloway,

Yes, that's my question - is there a way to split the params and values array so I run stats on them?

Thanks,

Aru

0 Karma
Reply
Solved! Jump to solution

nmarun
Explorer
‎06-18-2020 07:16 AM

@richgalloway, Thanks so much sir.

Arun

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...