Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Assigning a variable to field values consolidated by wildcard

smutherbavaro
New Member
‎03-31-2017 09:41 AM

I'm trying to wrap my head around assigning a variable to field values that have been consolidated by wildcard. The specific field is a url which contains unique values, but can be consolidated by wildcard:

/api/v1/data/dataInfo/5034542340/0031f24ea10c/867542388
/api/v1/data/dataInfo/6134191727/0031f24ea10c/1353781841
/api/v1/data/validate

Each of these has statusCode, timestamp, etc fields associated. I am needing to do a count of how many times /api/v1/data/dataInfo/* had a 404 response, and how many times /api/v1/data/validate had a 404 response, ideally in a timechart. Without consolidating to a wildcard, I have hundreds of results, because the hash that I'm consolidating via wildcard is unique.

I've tried the following, but it errors on "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '/api/v1/data/dataInfo/*)'." I take this to mean I can't use eval/if with a wildcard. 

 index=data_index environment=Production clientName="DataTool" statusCode=404
| eval dpInfo = if(url=/api/v1/data/dataInfo/*) 
| eval validate = if(url=/api/v1/data/validate) 
| timechart count

Any ideas would be very much appreciated!

0 Karma
Reply

woodcock
Esteemed Legend
‎03-31-2017 03:19 PM

Like this:

index=data_index environment=Production clientName="DataTool" statusCode=404
| timechart count(eval(match(url, "^/api/v1/data/dataInfo/"))) AS dpinvo
            count(eval(match(url, "^/api/v1/data/validate$"))) AS validate
0 Karma
Reply

DalJeanis
Legend
‎03-31-2017 03:49 PM

Is it * or .* or % in the context of match?

0 Karma
Reply

woodcock
Esteemed Legend
‎03-31-2017 04:30 PM

Good point; I should not have had the * there at all (I modified my answer). I could have put in .* but it would have been redundant for the need and waste effort for the RegEx parser.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2017 10:05 AM

To use wildcards in eval, use the match or like function.

... | eval dpInfo = if (match(url,"/api/v1/data/dataInfo/.*") | ...

... | eval dpInfo = if (like(url, "/api/v1/data/dataInfo/%") | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...