I have logs of the format...
2022-09-07T01:42:06.321624+00:00 micro.service 2867ce23-bdfd-48eb-ba5a-40e1e8a93987[[APP/PROC/WEB/0]] 159.203.190.66, 100.64.144.3 - - - [07/Sep/2022:01:42:06 +0000] "GET url HTTP/1.1" 404 125
...and I want to extract a count of missing URLs by microservice. I can get a count of microservice using...
index=myIndex "404 125" | rex "^\S+\s(?<microService>\S+).*" | bucket _time span=day | stats count by microService
...but I would like to know how to add the url
Any help appreciated
Hi @Mick_OBrien,
ok, please try this:
| rex "^\S+\s(?<microService>\S+).*.\"GET\s+(?<url>[^ ]+)"
that you can test at https://regex101.com/r/HFgP6J/2
Ciao.
Giuseppe
Hi @Mick_OBrien,
let me understand: in your sample you want to extract: "micro.service" and "APP/PROC/WEB/0", is it correct?
If this is your need, please try this:
| rex "^\S+\s(?<microService>\S+).*.\[\[(?<url>[^\]]+)"
that you can test at https://regex101.com/r/HFgP6J/1
Ciao.
Giuseppe
Hi @Mick_OBrien,
ok, please try this:
| rex "^\S+\s(?<microService>\S+).*.\"GET\s+(?<url>[^ ]+)"
that you can test at https://regex101.com/r/HFgP6J/2
Ciao.
Giuseppe
Thanks - that seems to be working!
Hi @Mick_OBrien,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉