Solved: How to use SED to remove optional fields?

singlinet · ‎11-24-2022

We have api requests that I want to create statistics by the request but to do this I need to remove variable identifiers and any parameters.

For example, with the following requestpatterns

POST /api-work-order/v1/work-orders/10611946/labours-reporting/2004131 HTTP/1.1
GET /api-work-order/v1/work-orders/10611946/labours-reporting HTTP/1.1
PUT /api-work-order/v1/work-orders/10611946 HTTP/1.1
GET /api-work-order/v1/work-orders HTTP/1.1

I need to replace the identifiers to extract:

POST /api-work-order/v1/work-orders/{id}/labours-reporting/{id}
GET /api-work-order/v1/work-orders/{id}/labours-reporting
PUT /api-work-order/v1/work-orders/{id}
GET /api-work-order/v1/work-orders

singlinet · ‎11-24-2022

Thanks for the suggestion.

I have resolved the issue by defining the full string as field Endpoint and then doing multiple passes to strip the various numeric identifiers.

rex field=Endpoint mode=sed "s/(.*)(\/|$)\d{2,}$/\1\2<id>/g"
| rex field=Endpoint mode=sed "s/(.*)(\/)\d{2,}(\/.*$)/\1\2<id>\3/g"
| stats count by Endpoint

View solution in original post

yuanliu · ‎11-24-2022

SPL provides several methods to do regex replacement. One method is rex mode=sed, the other replace. Let's use rex since you are already considering sed.

| rex mode=sed "s/(\/api-work-order\/v1\/work-orders\/)\d+(.*)/\1{id}\2/"

singlinet · ‎11-24-2022

Thanks for the suggestion.

I have resolved the issue by defining the full string as field Endpoint and then doing multiple passes to strip the various numeric identifiers.

rex field=Endpoint mode=sed "s/(.*)(\/|$)\d{2,}$/\1\2<id>/g"
| rex field=Endpoint mode=sed "s/(.*)(\/)\d{2,}(\/.*$)/\1\2<id>\3/g"
| stats count by Endpoint

How to use SED to remove optional fields?

regex

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel