Splunk Search

All URL'S Not coming after using match functionality

shabdadev
Engager

Hi ALL,
I wrote the below query

index=noact host=loss0* sourcetype=pro-e 

(
path="/desktop/account/" OR
path="/desktop/PerItemNumber" OR
path="/desktop/organization/groups" OR
path="/desktop/organization/groups/*"  
)

| eval URL=

case
(

match(path,"\/desktop\/account"),"/desktop/account",
match(path,"\/desktop\/PerItemNumber"),"/desktop/PerItemNumber",
match(path,"\/desktop\/organization\/groups"),"/desktop/organization/groups",
match(path,"\/desktop\/organization\/groups\/.*"),"/desktop/organization/groups/*"


) 

But when i am running it only the desktop/account value is being populated in URL ( NEW FIELD ) .Not sure why while rest url's also have values but they are not coming .

Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Because of the way match works, the fourth case construct is never going to execute, and you don't need it anyway. I agree with @niketnilay that your code should work fine if the events exist.

  index=noact host=loss0* sourcetype=pro-e 
  ( path="/desktop/account/" OR
    path="/desktop/PerItemNumber" OR
    path="/desktop/organization/groups*"
    )
 | eval URL= case ( match(path,"\/desktop\/account"), "/desktop/account",
      match(path,"\/desktop\/PerItemNumber"), "/desktop/PerItemNumber",
      match(path,"\/desktop\/organization\/groups"), "/desktop/organization/groups"
       ) 
0 Karma

shabdadev
Engager

"Because of the way match works" - I didnt understood what you mean by this ? Why the fourth case will never execute ??

I have taken below example in which both the requests are different , they server diff purpose and i want then separately

index=noact host=loss0* sourcetype=pro-e 
   ( 
     path="/desktop/organization/groups"
      path="/desktop/organization/groups/*"
     )
  | eval URL= case ( 

       match(path,"\/desktop\/organization\/groups"), "/desktop/organization/groups",
      match(path,"\/desktop\/organization\/groups/.*"), "/desktop/organization/groups/*"
        ) 

But i observed that when i execute this , splunk throws the second URL (/desktop/organization/groups/*)
in the new field 'URL' as /desktop/organization/groups ...and thats why i am not getting other values

and i think this is what you are refering to ..am i right?

Why this behavior ??

When i swapped the position of URLs in case command , then i am getting both the URL's as expected .....:) Why this thing i am not understanding ?

As match compares the URL with the regex i give it to and it should populate the values in the field which i give then why it act like that?? Please clarify this

0 Karma

niketn
Legend

[UPDATED ANSWER]

@shabdadev, sorry I had missed .* in my search.

Match finds a regular expression pattern in the string being searched. So the substring in 3rd condition, i.e. "\/desktop\/organization\/groups", will always be true even if you have more content in your path after groups. Hence the final case block will never be hit. If this is clear you do not need a separate case for groups/.* as @DalJeanis has suggested.

In case you want exact match for groups url and partial match for groups url to be categorized differently you can try the following case block:

| makeresults
| eval path= "/desktop/account/,/desktop/PerItemNumber,/desktop/organization/groups,/desktop/organization/groups/.*"
| makemv path delim=","
| mvexpand path
| eval URL= case (match(path,"/desktop/account"),"/desktop/account",
                  match(path,"/desktop/PerItemNumber"),"/desktop/PerItemNumber",
                  (path="/desktop/organization/groups"),"/desktop/organization/groups",
                  match(path,"/desktop/organization/groups/.*"),"/desktop/organization/groups/.*")
| table path URL

PS: As you can see in 3rd condition I am comparing exact url and 4th I am using match() pattern.


It should work as expected. Can you please post some sample Data?
Following is a run anywhere search with pipes until mvexpand command to generate paths for four groups you have. I have used similar case() and match() methods as yours (only modification is backslash need not be escaped)

| makeresults
| eval path= "/desktop/account/,
 /desktop/PerItemNumber,
 /desktop/organization/groups,
 /desktop/organization/groups/*"
| makemv path delim=","
| mvexpand path
| eval URL= case (match(path,"/desktop/account"),"/desktop/account",
                  match(path,"/desktop/PerItemNumber"),"/desktop/PerItemNumber",
                  match(path,"/desktop/organization/groups"),"/desktop/organization/groups",
                  match(path,"/desktop/organization/groups/.*"),"/desktop/organization/groups/*")
| table path URL

I am able to see four groups of URL as per the path.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...