How to write a transaction search where startswith...

phudinhha · ‎07-09-2015

I need to find a sequence of activity that always start with:
http://abc.com/abc.html
http://abc.com/end.xvz?....

so I tried to uses this search query:

index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"^\/\w+\.\w+")

However, the return result is 0 event.

Is there anyway that I can refine it?

Thank you so much

woodcock · ‎07-09-2015

Try this:

 index=sourceindex | rex field=url "(?<url_front>[^\?]*)\/(?<url_back>.*)" | transaction url_front maxspan=30s endswith=eval(match(url_back,"end.xyz"))

Actually, you may not even need the endswith part (which I know is wrong because I don't know what you are trying to match exactly).

phudinhha · ‎07-09-2015

I recognized the pattern in network activities like this.

http://123.com/abc.html
http://123.com/end.xvz?....

AND

http://456.com/abc.html
http://456.com/quiz.one?...

So I want to use transaction to look for a sequence of activity that starts with "abc.html" and ends with ""^/w+.w+".

woodcock · ‎07-09-2015

Your RegEx will never match (even if url has http:// removed). To make it match, use something like this:

 index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"\w+\.\w+\?")

phudinhha · ‎07-09-2015

Dear woodcock,
The return result is 0 event. However, when i omit the "endswith" part, the expected "end.xvz?...." also shows in the event tab as a part of "/abc.html" event. What does it mean?

How to write a transaction search where startswith starts with event A, while endswith must match a regex

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk