henrycharles
Reputation: 1041
Regular Expression for different api url and renaming the resultant events in splunk
I am trying to get the event count for below api in splunk for that I am trying to write regular expression for api but its not selecting hypen not sure how to write the regular expression to extract field out of it
"GET /v1/resource-plans/store-manager-view?type=
"GET /v1/resource-plans/trend ? xyz=
"GET /v1/resource-plans/store-director-view ? location =
"POST /v1/resource-plans
I have tried below expression its selecting store-manager and store-director into one but i need count for all api different row
(?<TYPE>\/v1\/resource-plans\/\w+)
And also i want to rename the resultant events defined in field column TYPE how to do this ? Below is my Splunk query
index=msc AND app=xyz AND source=resouce NOT message="*/_status" | rex field= message "(?<TYPE>\/v1\/resource-plans\/\w+)
" | stats count by TYPE
Upvotes: 0
Views: 466
Answers (1)
Wiktor Stribiżew
Reputation: 627336
Regarding the regex part, you can use
(?<TYPE>/v1/resource-plans(?:/[^/?#]+)?)
See the regex demo. Details:
/v1/resource-plans- a literal fixed string(?:/[^/?#]+)?- an optional occurrence of/- a slash[^/?#]+- one or more chars other than/,?and#
Upvotes: 0
Related Questions
- How to pattern match a list of APIs calls to their API Pattern (or group)?
- Splunk: How to use multiple regular expressions in one query?
- how to matching URI in splunk
- Splunk - regex extract fields from source
- Regex search for UUID based uri in splunk
- How to get url to specific splunk event?
- Splunk: How to Write regex for pathparam?
- Conditional Truncation of a URL with REGEX
- Regex to extract two values from single string in Splunk
- How to ignore a specific sub-string from Splunk query