Group urls together for get requests that have GUID in them

ak8675309 — Mon, 25 Jan 2021 00:03:43 GMT

Splunk noob here,

Wanted to group our get endpoints under a single entry. We have the following query

index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request" | stats count by "msg.Service.URL" |rename "msg.Service.URL" as "Endpoint"

The results come out as

I want the results with guid be grouped under a single value. So the desired output here would be

http://endpoint.example.com/sh/bundles 4944 (stays the same)
http://endpoint.example.com/sh/bundles/* 17 (the sum of all the endpoint counts with guid)

Trying to use the query like the following without any luck

| eval msg.Service.URL=case(like(msg.Service.URL, "http://endpoint.example.com/sh/bundles/%"), "http://endpoint.example.com/sh/bundles/*", 1=1, 'msg.Service.URL')

Re: Group urls together for get requests that have GUID in them

manjunathmeti — Mon, 25 Jan 2021 03:30:54 GMT

hi @ak8675309

Try this,

index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request" | rename "msg.Service.URL" as Endpoint | rex field=Endpoint mode=sed "s/bundles\/[\w-]+/bundles\/*/g" | stats count by Endpoint

If this reply helps you, an upvote/like would be appreciated.

Re: Group urls together for get requests that have GUID in them

ak8675309 — Mon, 25 Jan 2021 15:04:00 GMT

Thanks, this definitely helps me get the behavior.. just need to tweak the regex to suit my needs. Appreciate your help

topic Re: Group urls together for get requests that have GUID in them in Splunk Search

Group urls together for get requests that have GUID in them

Re: Group urls together for get requests that have GUID in them

Re: Group urls together for get requests that have GUID in them