I would like to use function case and regex together and extract the value of capturing group in one field
e.g. http_request field value is : abcd.com/getdata?type=numberEnabled
or abcd.com/showdata?type=numberEnabled
Would like to do something like
eval mode=case(regex(http_request,".*(getdata|showdata).*numberEnabled",$1.Enabled, true(), "other")
and it should return
getdata.Enabled
showdata.Enbaled
I think it's better to state what problem you're trying to solve rather than saying how explicitly you would like to solve it. Your proposed solution is not how it works in Splunk. You'd first extract the getdata
or showdata
string, then do an eval
where you check if you got a value for that field. Something like this.
... | rex field=http_request ".*(?<endpoint>getdata|showdata).*numberEnabled" | eval mode=if(isnotnull(endpoint), endpoint . "Enabled", "other")
OK? In your example you had a case function ending with the string "other" as fallback, so that's what I've done in my proposed solution as well. What part of the URL would you want to extract as a fallback option?
To me the solution is not clear. To state again , i want to match my URL against different values and if none of the value match then i want to extract a part of URL.