I want to use rex to figure out the pattern for a url. The URL looks something like -
text . The other 2 urls are having feel-high and feel-low in the URL, and rest everything is same. I want to figure out the count of their calls in last 60 mins.
I have the logic of calculating the count, and all I need is the rex pattern.
Can you please help me in the matter? Thanks in advance!
Well, it's always easier to give advice given a few full events to work from. I assume that you want the first part, between the opening parenthesis and the space before 'HTTP/1.1'. Also, I guess that the parenthesis is actually NOT in your event;
your base search | rex "\s(?<url>\S+)\sHTTP/1\..\s" | the rest of your search
Given that this looks like a csv style log (or rather whitespace separated values), you may benefit from using a props/transforms REPORT with FIELDS and DELIMS.
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio...
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/K
Well, it's always easier to give advice given a few full events to work from. I assume that you want the first part, between the opening parenthesis and the space before 'HTTP/1.1'. Also, I guess that the parenthesis is actually NOT in your event;
your base search | rex "\s(?<url>\S+)\sHTTP/1\..\s" | the rest of your search
Given that this looks like a csv style log (or rather whitespace separated values), you may benefit from using a props/transforms REPORT with FIELDS and DELIMS.
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Propsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio...
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/K