Available: parseUri() v1.113.0

The parseUri() function is available from v1.113.0

This function extracts URI components from an input field and adds them as attributes to the event.

ParameterTypeRequiredDefaultDescription
defaultBasestringoptional[a]  A scheme and authority prefix or //, used as the base to resolve the input as a URI reference. Valid values are of the form // or scheme:// where scheme is a URI scheme .
field[b]stringrequired  The name of the input field that contains the value to analyze.
prefixstringoptional[a]input field name An optional prefix for the field names for the components that are added to the event. It is an error to provide an empty prefix.

[a] Optional parameters use their default value unless explicitly set

[b] The argument name field can be omitted.

Omitted Argument Names

The argument name for field can be omitted; the following forms of this function are equivalent:

logscale
parseUri("value")

and:

logscale
parseUri(field="value")

These examples show basic structure only; full examples are provided below.

This function is most useful for interpreting partial URIs like www.example.com/path: instead of requiring fully valid URIs, parseUri() accepts a "base" (for example, defaultBase=http://) used to extract the hostname, port, path, query, and fragment parts.

if the input URI has no authority component, the event is left unchanged, similar to the parseUrl() behavior — example.com is interpreted as the scheme and it won't find a hostname or path (because it is trying to interpret the input as a URI): that's where providing the "base" can override such behavior.

If a base is used with a full URI, it is ignored; for example, consider this value in the url field:

HTML
ftp://example.com/path

The query:

logscale
parseUri(field="url", defaultBase="http://")

will extract url.scheme=ftp and not url.scheme=http.

See parseUri() Examples for more examples.

This function is more lenient in what it considers a URI than the specification requires and matches mostly on the structure of the input (with some restrictions); this is by design to make the functionality useful in different contexts.

Note

This function does no normalization/decoding on the components (like percent-encoding or path normalization). This is intended to process the actual parts of the input as they were in the logs.

The fields added to the event are listed in table here below — they are only added if the input can be parsed as a URI itself or resolved to a URI reference by providing the defaultBase parameter. The url. prefix is replaced by the input field name or the specified target field name.

Attribute Description
url.scheme The scheme in input value, if found. Otherwise, the scheme found in the base, if a base argument is provided and has a scheme.
url.hostname The hostname, if found.
url.username The username, if found
url.password The password, if found.
url.port The port in the authority, if found.
url.path The path, if found in the input. It can be empty.
url.query The query component, if found in the input.
url.fragment The fragment component, if found in the input.

Unless noted otherwise, the field for a component is not added if the component is not present in the input value.

Values are provided as found in the input i.e. without normalization (does not apply to scheme and port, which can't be normalized).

parseUri() Examples

  • Input:

    HTML
    example.com:8080/foo

    Query:

    logscale
    parseUri(field="url", defaultBase="http://")

    Output:

    host=example.com
    path=/foo
    port=8080
    scheme=http
  • Input:

    HTML
    example.com:8080/foo

    Query:

    logscale
    parseUri(field="url")

    Output:

    scheme=example.com
    path=8080/foo
  • Input:

    HTML
    ftp://example.com:8080/foo

    Query:

    logscale
    parseUri(field="url", defaultBase="http://")

    Output:

    host=example.com
    path=/foo
    port=8080
    scheme=ftp