topic Re: How to group and visualize 2 versions of same host name in Splunk Search

How to group and visualize 2 versions of same host name

andreshuexes — Wed, 30 Sep 2020 03:56:36 GMT

Hi,

Currently, I'm trying to find a way to extract the URL from this search, basically, our store has 2 versions Global /en and China /zh and grouping together all the urls of the products with each version (EN and ZH), I would like to base on this query getting the Google hits to our Store split by version since the host_name is the same I cannot find a way to do it

With this expression uri_path=/store/xxx/* I'm able to get all the URLs but then I cannot find a way to group them into 2 categories EN and ZH

Can anyone give me some tips?

Thanks a lot in advance

index=xxx_com_app client_ip="64.233." OR client_ip="66.102." OR client_ip="66.249." OR client_ip="72.14." OR client_ip="74.125." OR client_ip="209.85." OR client_ip="216.239." AND (user_agent="Googlebot-Image/1.0" OR user_agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" OR user_agent="Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Chrome/ Safari/537.36" OR user_agent="Googlebot/2.1 (+http://www.google.com/bot.html)" OR user_agent = "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/* Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" host_name="www.xxx.com") uri_path=/store/xxx/ | timechart span=1d count by uri_path limit=2

Re: How to group and visualize 2 versions of same host name

richgalloway — Wed, 29 Jan 2020 13:56:11 GMT

Please share some sample data, both /en and /zh, if possible.

Re: How to group and visualize 2 versions of same host name

nickhills — Wed, 29 Jan 2020 13:58:32 GMT

Try this:

index=xxx_com_app client_ip="64.233." OR client_ip="66.102." OR client_ip="66.249." OR client_ip="72.14." OR client_ip="74.125." OR client_ip="209.85." OR client_ip="216.239." AND (user_agent="Googlebot-Image/1.0" OR user_agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" OR user_agent="Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Chrome/ Safari/537.36" OR user_agent="Googlebot/2.1 (+http://www.google.com/bot.html)" OR user_agent = "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" host_name="www.xxx.com") uri_path=/store/xxx/* 
|rex field=uri_path "\/store\/(?P<region>[^\/]+)"
| timechart span=1d count by region

Re: How to group and visualize 2 versions of same host name

gcusello — Wed, 29 Jan 2020 14:00:11 GMT

Hi @andreshuexes,
could you share two examples of your logs with /en and /zh ?
Them please, correct your answer using Code Sample button, because now it isn't possible to correctly read your search.

Ciao.
Giuseppe

Re: How to group and visualize 2 versions of same host name

andreshuexes — Thu, 30 Jan 2020 10:59:26 GMT

Hello,

Sure,

We have a store with all the products in both versions, ideally, we would like to get the Googlebot hits to each of the English and China URLs separated

Here you have an example of a URL, the only difference is the EN or ZH

https://www.xxx.com/store/yyy/en/p/product/?p=qwerty
https://www.xxx.com/store/yyy/zh/p/product/?p=qwerty

Thanks
Andres

Re: How to group and visualize 2 versions of same host name

andreshuexes — Thu, 30 Jan 2020 10:59:50 GMT

Hello Giuseppe,

Sure,

We have a store with all the products in both versions, ideally, we would like to get the Googlebot hits to each of the English and China URLs separated

Here you have an example of a URL, the only difference is the EN or ZH

https://www.xxx.com/store/yyy/en/p/product/?p=qwerty
https://www.xxx.com/store/yyy/zh/p/product/?p=qwerty

Thanks
Andres

Re: How to group and visualize 2 versions of same host name

andreshuexes — Thu, 30 Jan 2020 11:00:53 GMT

Hey,

Thanks for the reply,

I cannot make it work

Thanks

Re: How to group and visualize 2 versions of same host name

nickhills — Thu, 30 Jan 2020 11:05:33 GMT

Did you modify the xxx in the above to suit your needs?

You probably want to set the uri to ”*store/*”and host_name to something sensible

Re: How to group and visualize 2 versions of same host name

gcusello — Thu, 30 Jan 2020 12:54:55 GMT

Hi @andreshuexes,
you can use your search to extract results, and from these results extract the region.

index=xxx_com_app 
(client_ip="64.233." OR client_ip="66.102." OR client_ip="66.249." OR client_ip="72.14." OR client_ip="74.125." OR client_ip="209.85." OR client_ip="216.239." )
(user_agent="Googlebot-Image/1.0" OR user_agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" OR user_agent="Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html) Chrome/ Safari/537.36" OR user_agent="Googlebot/2.1 (+http://www.google.com/bot.html)" OR user_agent = "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)") host_name="www.xxx.com") uri_path=/store/xxx/* 
| eval region=if(like(url,"%en%"),"Global","China")
| timechart span=1d count by region

If you can have more regions than Global and China, you can use case instead of if in the eval statement or a regex to extract the region.

Ciao.
Giuseppe