cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
newtosplunk14
Explorer
Member since: ‎08-05-2021
‎01-30-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎08-05-2021
Activity Feed
View All

Re: Count events matching a specific string

by in Splunk Search
‎09-01-2021 05:08 AM
1 Karma
‎09-01-2021 05:08 AM
1 Karma
Just extract the appropriate fields from the URI and split the parameters into a multivalued field. | makeresults | eval _raw="msg: abc.asia - [2021-08-23T00:27:08.152+0000] \"GET /facts?factType=COMMERCIAL&sourceSystem=ADMIN&sourceOwner=ABC&filters=%257B%2522stringMatchFilters%2522:%255B%257B%2522key%2522:%2522BFEESCE((json_data-%253E%253E'isNotSearchable')::boolean,%2520false)%2522,%2522value%2522:%2522false%2522,%2522operator%2522:%2522EQ%2522%257D%255D,%2522multiStringMatchFilters%2522:%255B%257B%2522key%2522:%2522json_data-%253E%253E'id'%2522,%2522values%2522:%255B%25224970111%2522%255D%257D%255D,%2522containmentFilters%2522:%255B%255D,%2522nestedMultiStringMatchFilter%2522:%255B%255D,%2522nestedStringMatchFilters%2522:%255B%255D%257D&sorts=%257B%2522sortOrders%2522:%255B%257B%2522key%2522:%2522id%2522,%2522order%2522:%2522DESC%2522%257D%255D%257D&pagination=null\"" | rex "\"(?<req>\S+)\s(?<uri>\S+)\"" | eval uri=urldecode(uri) | rex field=uri "(?<reqpath>.*)\?(?<query>.*)" | makemv delim="&" query | search query="factType=COMMERCIAL"  Then you can extract the "filters=something" value from the query field and process it apropriately (probably passing it through another urldecode()). ... View more

Re: Search an endpoint ending with numbers

by in Splunk Search
‎08-06-2021 05:56 AM
‎08-06-2021 05:56 AM
Thanks heaps @venkatasri  and @ITWhisperer . both your solutions worked brilliantly! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-30-2022 09:54 AM
Karma given to
View All