Hi everyone,
I am trying to come up with a Splunk regex search for detecting URIs of URLs.
What I am interested in is the last random character and length string after the forward slash of the URLs below:
txx.zlx.mam-bg.ru/avuTbur334vxasd
zlx.axa.babishop18.ml/aipiruqwbXasal2
My fast solution to this so far is:
`... | regex uri="^/[a-zA-Z0`-9]{8,20}$"
However, I am unable to verify if this works as I don't have access to the logs currently.
Any suggestions for improvement would be appreciated.
Have you seen the URL Toolbox app (https://splunkbase.splunk.com/app/2734/)? It will parse the URL for you.
If you really want or need to do it yourself, provide some sample data and we should be able to help you find a regex string that works with it.
Have you seen the URL Toolbox app (https://splunkbase.splunk.com/app/2734/)? It will parse the URL for you.
If you really want or need to do it yourself, provide some sample data and we should be able to help you find a regex string that works with it.
Rich thanks for the link to the app, I will give it a try later.
I asked some sample URLs to be emailed, here they are:
http://www.zdp.xu9lb084.IRISHKO.RU/bnhwf28dzmxoo
http://ylg.zc90xzeu.mama-bg.ru/aoxzc28jlcabog
http://hzm.hzm.6ju4a0t6.river-runningasd.ga/gqnckvx30hxgdtils
As you can see the last random character/length string after the domain suffix and / connect all of them. What I am trying to do here is to go through logs and find any urls that have such string. From what I know the length of the string varies between 8-20 characters.
Any suggestions for improvement would be appreciated.
The URL Toolbox app can do that easily.
This regex string matches your sample text: \.\w+\/(?<URI>.*)
.