This is the sample accessLog which is coming up in the Splunk ui.
{"timestamp":"2021-10-17T15:03:56,763Z","level":"INFO","thread":"reactor-http-epolpl-20","message":"method=GET, uri=/api/v1/hello1, status=200, duration=1, "logger":"reactor.netty.http.server.AccessLog"}
{"timestamp":"2021-10-17T15:03:56,763Z","level":"INFO","thread":"reactor-http-epolpl-20","message":"method=GET, uri=/api/v1/dummy1, status=200, duration=1, "logger":"reactor.netty.http.server.AccessLog"}
I want to extract the url and make a count for all the API's like how many times an API is hitted from the uri part(uri=/api/v1/dummy1)
(index=dummy OR index=dummy1) source=*dummy-service* logger=reactor.netty.http.server.AccessLog
| rex field=message "(?<url>uri.[\/api\/v1\/hello]+)"
| chart count by url
But it's not giving URL in a proper format. I tried various regex, but couldn't get the proper URL count.
I wanted to use this query to show the API counts in the Splunk dashboard.
The problem appears to be with the regular expression in the rex command. Square brackets ([]) in a regex denote a set from which any character can match, in any order. The example regex should match "/api/v1/hello", but also will match "iap/1v/ohell", "philo", and any other permutation of those characters. It will not, however, match "/api/v1/dummy1".
Try this query. The rex command here takes everything between "uri=" and the following comma as the url.
index=dummy OR index=dummy1 source=*dummy-service* logger=reactor.netty.http.server.AccessLog
| rex field=message "uri=(?<url>[^,]+)"
| chart count by url