Hello,
I have defined api_names and calculating counts and sigma limits for alert based on uri stem.
Example uri stem: /api/v1/customer/details/customernumber/12345
I can't use regex here (or I am not that skilled). I've created this:
| eval cs_uri_stem=lower(cs_uri_stem)
| rex field=cs_uri_stem "/api/v\d/(?<api_name>\w+[a-z-]\w+).*"
However, it will parse out api name only till the first slash / , so I'll match customer . However, I do not match customer/details/customernumber as they follow between additional slashes.
Due to this limitation, I've created big case statement with 122 x 2 branches.
| eval api_name = case(
like(cs_uri_stem,"/api/v%/customers/%"),"customers", like(cs_uri_stem,"/api/v%/customers%"),"customers",
like(cs_uri_stem,"/api/v%/customer-groups/%"),"customer-groups", like(cs_uri_stem,"/api/v%/customer-groups%"),"customer-groups",
like(cs_uri_stem,"/api/v%/customer-bases/%"),"customer-bases", like(cs_uri_stem,"/api/v%/customer-bases%"),"customer-bases",
like(cs_uri_stem,"/api/v%/customer/shippingaddresses/list/%"),"customer/shippingaddresses/list", like(cs_uri_stem,"/api/v%/customer/shippingaddresses/list%"),"customer/shippingaddresses/list",
like(cs_uri_stem,"/api/v%/customer/search/%"),"customer/search", like(cs_uri_stem,"/api/v%/customer/search%"),"customer/search",
like(cs_uri_stem,"/api/v%/customer/details/customernumber/%"),"customer/details/customernumber", like(cs_uri_stem,"/api/v%/customer/details/customernumber%"),"customer/details/customernumber",
like(cs_uri_stem,"/api/v%/customer/%"),"customer", like(cs_uri_stem,"/api/v%/customer%"),"customer",
1=1,"OTHER")
Now questions:
1. What is the SPLUNK limitation on the number of branches in a single CASE statement?
2. What is impact of running such big case statement?
3. I assume that SPLUNK case statement is working in same manner as in SQL, so I've organized patterns in descending order to match first customer/details/customernumber and customer only on the rest. Am I correct?
4. Is there any opportunity to optimize this case statement?
5. Is there any alternative? (already thinking about leveraging rex and do it in multiple levels like customer = api_name_L1, details = api_name_L2, customernumnber = api_name_L3
I'll appreciate any help/comments here.
Thank you!
m.
... View more