extractor chaining


1 comment

  • Avatar
    Latimer Luis

    Here's a question: Do you need to keep the URL's that don't match the pattern that you're looking for? If so, then some sort of nodrop would be needed, which makes the query a little more complicated to write.

    Below is an example of what can be done to achieve what you're looking for.  

    _sourceCategory=Apache/Access GET
    | parse "GET * HTTP/1.1\" * *" as url,status_code,bytes
    | parse field=url "*your_string*" as before,after nodrop
    | concat(before,"your_string",after) as new_field
    | parse field=new_field "*/*.*" as path,file,extension nodrop
    | fields -before,after,new_field //exclude the fields you don't need displayed

    If all you care about are the events containing this string, then the following should work and will perform better as well (notice the new keyword in the first line of the search): 

    _sourceCategory=Apache/Access GET "your_string"
    | parse "GET * HTTP/1.1\" * *" as url,status_code,bytes
    | where url matches "*your_string*"
    | parse field=url "*/*.*" as path,file,extension

    Comment actions Permalink

Please sign in to leave a comment.