topic How do I group similar URLs into one event? in Splunk Search

How do I group similar URLs into one event?

deeps1984 — Wed, 14 Sep 2016 15:49:42 GMT

I am doing a search to get the total count of different URIs and their response times. My result has multiple events of similar URLs -

Like /abc/{id1}/xyz;  
/abc/{id2}/xyz
/abc/{id3}/xyz.

Only the {id} in the URL varies, and the rest of the URI portion is same.

How can I group these events as 1 event, and still get the total count of hits to this URI?

This is my search -

index=stuff RelativeURI="/abc/*/xyz"  |stats count as total_call_count, avg(ResponseTime) as avgResponse by RelativeURI

Re: How do I group similar URLs into one event?

somesoni2 — Wed, 14 Sep 2016 16:11:12 GMT

Try this

index=stuff RelativeURI="/abc/*/xyz" | eval RelativeURI =replace(RelativeURI ,"^(\/[^\/]+\/)([^\/]+)(\/[^\/]+)","\1XXX\3") |stats count as total_call_count, avg(ResponseTime) as avgResponse by RelativeURI

Re: How do I group similar URLs into one event?

somesoni2 — Wed, 14 Sep 2016 16:13:21 GMT

On second thought, if you're hardcoding the URL (format at least) in the base search, why not just remove the by clause from stats. That will give you total count and average for all matching URI's. Like this

index=stuff RelativeURI="/abc/*/xyz" |stats count as total_call_count, avg(ResponseTime) as avgResponse | eval RelativeURI="/abc/*/xyz" | table RelativeURI total_call_count avgResponse

Re: How do I group similar URLs into one event?

sundareshr — Wed, 14 Sep 2016 16:16:09 GMT

Try this

index=stuff RelativeURI="/abc/*/xyz" | rex field=RelativeURI "(?<url1>\/\S+\/)\S+\/(?<url2>\S+)" | eval url=url1.url2 | stats count as total_call_count, avg(ResponseTime) as avgResponse by url