Splunk Search

How to extract a particular field from a URI in Splunk?

jagdeepgupta813
Explorer

My data is coming like below in splunk

method=PUT uri=/AppA/USA/comp1/Refrence/20160120A123456/price query= httpstatus=200 bytes=7772 processtime=682 ms

or

method=PUT uri=/AppA/USA/comp2/tax query= httpstatus=200 bytes=7772 processtime=682 ms

I want to get the last value after / from the URI column and the average process time for that in a time frame.

For example, for a day, I want to see the average time taken for service tax and price.

And how do I get any value in between URI? For example, I want to get the country type from the above URI, and want to see the average time taken for each service in different countries.

0 Karma
1 Solution

masonmorales
Influencer

Try:

| rex field=uri "\/\w+\/(?<Country>\w+)" | rex field=uri "\/(?<Type>\w+)\s"

Should extract a field called "Country" and a field called "Type". I assume bytes, httpstatus, and processingtime are auto-extracted for you by Splunk since they're key=value pairs.

View solution in original post

s2_splunk
Splunk Employee
Splunk Employee

You can do it all in one go by using this (no need to escape forward slashes:

rex field=uri "/\w+/(?<Country>\w+).*/(?<Service>\w+)$"
0 Karma

jagdeepgupta813
Explorer

why this is not working
rex field=url "\/(?\d+)$"

I tried this as well
rex field=url "\/(?\d+)RETURN"

However , this worked
rex field=url "\/(?\d{10,})$"

my url field has value like
http://IP:PORT/Folder1/rest/service1/1234/Stor3/001/12345678910/RETURN

0 Karma

jagdeepgupta813
Explorer

It was my bad, this worked

rex field=url "\/(?\d+)\/RETURN"

0 Karma

masonmorales
Influencer

Try:

| rex field=uri "\/\w+\/(?<Country>\w+)" | rex field=uri "\/(?<Type>\w+)\s"

Should extract a field called "Country" and a field called "Type". I assume bytes, httpstatus, and processingtime are auto-extracted for you by Splunk since they're key=value pairs.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...