Splunk 101

Filter API paths

I have the following events which contain API request paths like the following,

PUT /api/v1/apps/{id}

PUT /api/v1/apps/{id}/users

PUT /api/v1/apps/{id}/verify/{vid}

and so on. I want only those events with the first pattern above, ie. PUT /api/v1/apps/{id} and want to discard the rest of the events. The splunk expression to use for this is,

requestPath=/api/v1/apps/* PUT | regex requestPath="/api/v1/apps/([a-zA-Z0-9?]+)$"

According to the splunk docs, use the regex command to filter out events, and Use the rex command to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions.

Notes

requestPath is a field available in the event, so we use it with the regex command. Using a fieldName is optional and if you don't use it, the regex uses the default _raw field, which is the whole event.


Extract path variables from API path

Example

You have an API - GET /app/{appName}/{appId}/users, for example - "GET /app/google/0xcafebabe/users"

and you want to extract the appName and appId fields from all events.

The following query will extract these fields,

"GET /app/*/users" | rex field=_raw "\/app\/(?<applicationName>[^/]+)\/(?<applicationId>[^/]+)\/users"

Explanation

- The escape char (\) is needed for the (/) in the path

- [^/]+ is to match all characters except /, occurring at least once, hence the +


Combine 2 timecharts

host=* "POST /api/op" | timechart span=1d count as count1 | appendcols [search host=* "POST /api/op2" | timechart span=1d count as count2]







Comments

Post a Comment

Popular posts from this blog

Should you always have null checks?

 I had a habit of always adding a null check at the start of a method, for validating method arguments. However, I gradually learnt this might not always be a good idea. Checking for nulls when your code does not expect a null value would just hide the problem happening upstream. Also, since the error would manifest in some other part of the code, it will be a nightmare the debug what actually failed. Instead, if you let the code throw an NPE, your application will fail fast and report exactly where the exception was thrown. So, unless your code expects nullable values, its not a good idea to add null checks. More discussion on this - https://softwareengineering.stackexchange.com/questions/147480/should-one-check-for-null-if-he-does-not-expect-null
Read more

Identity Terms and Definitions

Identity Terms and Definitions SAML Profiles http://saml.xml.org/components-profiles gives the best definition of identity protocol profiles in general, Generally, a profile of SAML defines constraints and/or extensions in support of the usage of SAML for a particular application – the goal being to enhance interoperability by removing some of the flexibility inevitable in a general-use standard. For instance, the Web Browser SSO Profile specifies how SAML authentication assertions are communicated between an identity provider and service provider to enable single sign-on for a browser user.
Read more