Splunk Search

How to use regex inside eval?

kollachandra
Path Finder

I need to use regex inside the eval as I have to use multiple regexs inside of it. I am writing something like this

| eval counter=case( 
 | regex cs_uri_stem = "/**/sales/v\d/\d{8,}/***", "******", 
 | regex cs_uri_stem = "/**/sales/v\d/\d{8,}/**", "**"

I need to include more regexs to get the count of each single endpint

0 Karma
1 Solution

elliotproebstel
Champion

If all the things you're looking to count match that same pattern, then you'd be well suited to extract the value from that pattern and count based on the extracted value.

| rex field=cs_uri_stem "\/HomeOwners\/sales\/v\d\/\d{8,}\/(?<endpoint>[^\/]+)"

And this more succinct regex would probably even work:

| rex field=cs_uri_stem "(?<endpoint>[^\/]+)$"

Then to populate the counter field:

| eventstats count AS counter BY endpoint

And if you just need the counter and not the rest of the event data, you could use stats instead of eventstats:

| stats count AS counter BY endpoint

View solution in original post

0 Karma

elliotproebstel
Champion

If all the things you're looking to count match that same pattern, then you'd be well suited to extract the value from that pattern and count based on the extracted value.

| rex field=cs_uri_stem "\/HomeOwners\/sales\/v\d\/\d{8,}\/(?<endpoint>[^\/]+)"

And this more succinct regex would probably even work:

| rex field=cs_uri_stem "(?<endpoint>[^\/]+)$"

Then to populate the counter field:

| eventstats count AS counter BY endpoint

And if you just need the counter and not the rest of the event data, you could use stats instead of eventstats:

| stats count AS counter BY endpoint
0 Karma

kollachandra
Path Finder

I want to get the average of different API calls hosted on the same set of servers. I need to write regex as it has a differnt session in the call syntax(sales/v1/54571418/Purchases). So, what I need is get the avg of all the endpoints like
Endpoint avg time
sales/v1/*****/Purchases Purchases 12
sales/v1/
**/Documents Documents 10
sales/v1/
**/Addresses Addresses 11
sales/v1/
*****/Purchases Purchases 12

0 Karma

elliotproebstel
Champion

So let's take it one step at a time. Is this rex command working to extract your endpoints?

| rex field=cs_uri_stem "(?<endpoint>[^\/]+)$"

If not, can you post some examples of the full contents of the cs_uri_stem field where it's not working? It's best if you use the 101010 code button to ensure none of the characters you're posting get eaten by the posting software. Or if those endpoints aren't in the cs_uri_stem field and I misunderstood your original post, please share the full values of the fields where the endpoints are contained. We'll get it sorted!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...