Splunk Search

How to write a transaction search where startswith starts with event A, while endswith must match a regex

phudinhha
Explorer

I need to find a sequence of activity that always start with:
http://abc.com/abc.html
http://abc.com/end.xvz?....

so I tried to uses this search query:

index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"^\/\w+\.\w+")

However, the return result is 0 event.

Is there anyway that I can refine it?

Thank you so much

Tags (2)
0 Karma

woodcock
Esteemed Legend

Try this:

 index=sourceindex | rex field=url "(?<url_front>[^\?]*)\/(?<url_back>.*)" | transaction url_front maxspan=30s endswith=eval(match(url_back,"end.xyz"))

Actually, you may not even need the endswith part (which I know is wrong because I don't know what you are trying to match exactly).

0 Karma

phudinhha
Explorer

I recognized the pattern in network activities like this.

http://123.com/abc.html
http://123.com/end.xvz?....

AND

http://456.com/abc.html
http://456.com/quiz.one?...

So I want to use transaction to look for a sequence of activity that starts with "abc.html" and ends with ""^/w+.w+".

0 Karma

woodcock
Esteemed Legend

Your RegEx will never match (even if url has http:// removed). To make it match, use something like this:

 index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"\w+\.\w+\?")
0 Karma

phudinhha
Explorer

Dear woodcock,
The return result is 0 event. However, when i omit the "endswith" part, the expected "end.xvz?...." also shows in the event tab as a part of "/abc.html" event. What does it mean?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...