topic Re: How to count stats by grouping substring from an URI in Splunk Search

How to count stats by grouping substring from an URI

prakashpnvs — Wed, 18 Sep 2019 15:44:42 GMT

Here is my search:
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/*

and I have the following logs in my search:
/PL/data/2.0/space/appA/29323820jdd3723.txt
/PL/data/2.0/space/appA/search/373367672djbd
/PL/data/2.0/space/appB/abcdefsfjdf.pdf
/PL/data/2.0/space/appB/get/9668568696
/PL/data/2.0/space/appC/search/9650865686rt
/PL/data/2.0/space/appD/6384387498374.jpg

Now, I want the stats count results like below:
appA 2
appB 2
appC 1
appD 1

Re: How to count stats by grouping substring from an URI

Anantha123 — Wed, 18 Sep 2019 17:03:00 GMT

Try this
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | table App Request | stats count by APP

Re: How to count stats by grouping substring from an URI

prakashpnvs — Wed, 18 Sep 2019 17:41:32 GMT

Executed this in Splunk UI and got the results in Visualization tab
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | stats count by APP

also sorted it by ..... | sort - count

Thanks much!