Regular Expression for different api url and renaming the resultant events in splunk

0
votes

I am trying to get the event count for below api in splunk for that I am trying to write regular expression for api but its not selecting hypen not sure how to write the regular expression to extract field out of it

"GET /v1/resource-plans/store-manager-view?type=
"GET /v1/resource-plans/trend ? xyz=
"GET /v1/resource-plans/store-director-view ? location =
"POST /v1/resource-plans

I have tried below expression its selecting store-manager and store-director into one but i need count for all api different row

(?<TYPE>\/v1\/resource-plans\/\w+)

enter image description here

And also i want to rename the resultant events defined in field column TYPE how to do this ? Below is my Splunk query

  index=msc AND app=xyz AND source=resouce NOT message="*/_status" | rex field= message "(?<TYPE>\/v1\/resource-plans\/\w+)
    " | stats count by TYPE
1
regexsplunksplunk-query
Adding hyphen is easy - (?<TYPE>/v1/resource-plans/[\w-]+) or (?<TYPE>/v1/resource-plans/[^/?#]+)Wiktor Stribiżew
@WiktorStribiżew but its not selecting "POST /v1/resource-plans rest all three are selectinghenrycharles
It is due to the missing part after resource-plans, see (?<TYPE>/v1/resource-plans(?:/[^/?#]+)?)Wiktor Stribiżew
@WiktorStribiżew Any idea how rename the results of TYPE instead of showing whole urlhenrycharles
You can use a lookup table to translate the TYPE event text to different text. Or you could just use an eval with a case inside.Jerry Jeremiah

1 Answers

0
votes

Regarding the regex part, you can use

(?<TYPE>/v1/resource-plans(?:/[^/?#]+)?)

See the regex demo. Details:

  • /v1/resource-plans - a literal fixed string
  • (?:/[^/?#]+)? - an optional occurrence of
    • / - a slash
    • [^/?#]+ - one or more chars other than /, ? and #