Solved: Is there a way to trim URL string from a table? - Splunk Community

Splunk Search

So, I want to create a table where it shows the time, source IP, and URL.

sourcetype=* src_ip=* url=* | table _time, src_ip, url

The search runs fine however the URL comes back with a long string.

Example= https://www.google.com/xxx_xxx?atyp=csi&ei=tWelWaipKMOJmQGb_Lr4Cg&s=newtab&action=update&ima=1&ime=0...

Is there a way to trim the string from the URL to only show up to google.com/xxx_xxx?

1 Solution

Solution

Try like this

sourcetype=* src_ip=* url=* | table _time, src_ip, url | eval url=mvindex(split(url,"?"),0)

OR

sourcetype=* src_ip=* url=* | table _time, src_ip, url | rex field=url "^(?<url>[^\?]+)"

View solution in original post

You can also try replace() function with regular expression pattern

sourcetype=* src_ip=* url=* 
| table _time, src_ip, url 
| eval url=replace(url,"(^[^\?]+)(\?.*)","\1")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Solution

Try like this

sourcetype=* src_ip=* url=* | table _time, src_ip, url | eval url=mvindex(split(url,"?"),0)

OR

sourcetype=* src_ip=* url=* | table _time, src_ip, url | rex field=url "^(?<url>[^\?]+)"

Thanks! Worked like a charm

Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

Unleash the power of Splunk Observability Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...