Forum Discussion
Basil_Parsley_1
Nimbostratus
NimbostratusiRule - findstr - find and pull data from HTML payload to Splunk
Guys,
I have been tasked with sorting a HSL log sent from an LTM to Splunk ; basically is a website which customers log in putting in a username / password, subsequent orders require the input of an additional customer ID which turns up in the HTML payload to the server ; we want to log the customer ID whenever it is seen in a relevant payload. I have other data sets sending OK via HSL to Splunk.
The customer Id shows up in the HTML as “customerID12345678” (always 8 digits). Q. How can I get an outcome whereby I get e.g. “Customer ID = 12345678 into the HSL log?
Overall the nascent iRule is looking like the below ..I need to understand what I need to do to line 1 to achieve my aim.
set hsl [HSL::open -proto TCP -pool SPLUNK]
set resp_custID [findstr [HTTP::payload] "CustomerID"
HSL::send $hsl “Customer-ID=” $resp_custID\n"
Q2. The issue with the above is I am going to be creating a bunch of logs with “Customer-ID= blank space ; is there a more elegant approach to this ?
Q3. My logging iRule commands are contained in an overall app iRule – I had been told if a HSL send line referenced a non existant string the whole iRule would grind to a halt – not sure as to the accuracy of this but is there any way HSL code could break an iRule? I am thinking of separating these into logging iRule – app iRule ..
Thanks !!!!
So it sounds like you only want to send the log when "CustomerID" is actually found. So do your
first and then checkset resp_custID [findstr [HTTP::payload] "CustomerID"
before logging.if { $resp_custID ne "" } {- Also if you want to be really elegant and don't want to check EVERY http payload, you can set a flag in HTTP_REQUEST when the appropriate uri is requested and unset it when it's not and then only send your logs if that flag is set.
Basil_Parsley_1So it sounds like you only want to send the log when "CustomerID --- True ;-) I will look to use the if statement .... My main knowledge gap here is that I do not know how to perform the logic that says - Take the next 8 digits following string and put these in a log. Could I use skip_count ; if so what would be the syntax?- The examples here don't help? https://clouddocs.f5.com/api/irules/findstr.html ---------------------------------------------------------------------------------------- [findstr [HTTP::payload] "" 12 ""]
