I need to find a sequence of activity that always start with:
http://abc.com/abc.html
http://abc.com/end.xvz?....
so I tried to uses this search query:
index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"^\/\w+\.\w+")
However, the return result is 0 event.
Is there anyway that I can refine it?
Thank you so much
Try this:
index=sourceindex | rex field=url "(?<url_front>[^\?]*)\/(?<url_back>.*)" | transaction url_front maxspan=30s endswith=eval(match(url_back,"end.xyz"))
Actually, you may not even need the endswith
part (which I know is wrong because I don't know what you are trying to match exactly).
I recognized the pattern in network activities like this.
http://123.com/abc.html
http://123.com/end.xvz?....
AND
http://456.com/abc.html
http://456.com/quiz.one?...
So I want to use transaction to look for a sequence of activity that starts with "abc.html" and ends with ""^/w+.w+".
Your RegEx will never match (even if url
has http://
removed). To make it match, use something like this:
index=sourceindex | transaction maxspan=30s startswith=url="/abc.html" endswith=eval(match(url,"\w+\.\w+\?")
Dear woodcock,
The return result is 0 event. However, when i omit the "endswith" part, the expected "end.xvz?...." also shows in the event tab as a part of "/abc.html" event. What does it mean?