SQL Language - Pull all URLs with specific query s...

alagiriv · ‎01-10-2019

I need help pulling URLs that have a specific query string.

For example, I get all URLs for the matching query strings. Query string can be in any order.

abc.com/?a=1&b=2
abc.com/?c=1
abc.com/?d=1&a=2
List all that have a=? or b=? in the URL

abc.com/?a=1&b=2
abc.com/?d=1&a=2

John2 · ‎01-10-2022

Could it be as simple as this?

A search with an implied "AND", using a space:

"abc.com" ("a=" OR "b=")

msivill_splunk · ‎01-16-2019

Another example, which is self-contained. Everything up to and including the eval url is generating the test data.

| makeresults count=4 
| streamstats count 
| eval url = case( count==1, "http://abc.com/?a=1&b=2&c=3", count==2, "http://abc.com/?d=1&e=2&a=3", count==3, "http://abc.com/?f=1&g=2&h=3", count==4, "http://abc.com/?C=1&b=2&a=3") 
| rex field=url "[^?]*\?(?<url_path>.*)" 
| eval key_values = split(url_path, "&") 
| eval matching_keys=mvfilter(match(key_values, "a=") OR match(key_values, "b=")) 
| where isnotnull(matching_keys) 
| table url, url_path, matching_keys

seegeekrun · ‎01-10-2019

There are several ways that it could be approached, but one rough way would be as follows:

| makeresults 
| eval path = "abc.com/?a=1&b=2 abc.com/?c=1 abc.com/?d=1&a=2" 
| makemv path 
| mvexpand path 
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution" 
| makemv path delim="?"
| eval params=mvindex(path,1)
| makemv params delim="&"
| mvexpand params | stats values(path) as Paths by params

SQL Language - Pull all URLs with specific query string parameters.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!