topic Re: Raw data and count in Splunk Search

How to calculate Raw data for API endpoints and count?

mcscjlf — Mon, 11 Jul 2022 16:35:46 GMT

I don't have a ton of experience with Splunk yet but I've been asked to find API endpoints (which appear to be in our raw data) and see how often their being used.

Example Events:

| 2022-07-08 05:59:06 21.30.2.80 POST /api/transact/credit/sale 5051 - 571.232.505.62 okhttp/3.18.9

| 2022-07-08 05:02:01 22.35.3.79 POST /api/transact/device 6062 - 641.141.323.82 okhttp/2.15.3

What I want to end up with is the api and a count:

/api/transact/credit/sale 3,475

/api/transact/device 275

Is this possible?

Thank you!!

Re: Raw data and count

ITWhisperer — Fri, 08 Jul 2022 21:31:29 GMT

Assuming your apis are preceded by POST, try this

| rex "POST (?<api>\S+)" | stats count by api

Re: How to calculate Raw data for API endpoints and count

VatsalJagani — Sat, 09 Jul 2022 14:28:46 GMT

@mcscjlf - Try this:

| rex "\s+(?<ip>\d+\.\d+\.\d+\.\d+\s+)(?<http_method>\w+)\s+(?<endpoint>\S+)" | stats count by endpoint

* I've extracted general fields here - IP, http_method, and endpoint with regex.

I hope this helps!!!

Re: How to calculate Raw data for API endpoints and count

mcscjlf — Mon, 11 Jul 2022 15:26:25 GMT

This worked perfectly, thank you!!