topic Re: How to merge and make one result out of multiple results in Splunk Search

How to merge and make one result out of multiple results

raviteja029 — Fri, 05 Jan 2018 20:24:08 GMT

HI,

I have a result which displays common starting URI. but I have to combine it to one and have the result, how can I do it ?

Result -

/credit/company/23532525 . 10
/credit/company/34532523 . 30
/credit/product/23235225 . 40

I need something like

/credit/ 80

Re: How to merge and make one result out of multiple results

micahkemp — Fri, 05 Jan 2018 20:27:58 GMT

Updated to remove the limitation of just Credit events.

index=cap host=prod
| rex field=URI "^(?<firstsegment>/[^/]+)/"
| stats count BY firstsegment

Re: How to merge and make one result out of multiple results

raviteja029 — Fri, 05 Jan 2018 20:32:33 GMT

Thank you for the reply.

So after I did the below search

index=cap host=prod SERVICE="Credit" | eval product=case( URI="/credit/" ,"Credit", 1==1,URI ) | stats count as total by product

I got

/credit/company/23532525 . 10
/credit/company/34532523 . 30
/credit/product/23235225 . 40

I need that to be

/credit/ . 80

Re: How to merge and make one result out of multiple results

micahkemp — Fri, 05 Jan 2018 20:38:01 GMT

Edited to take that into consideration.

Re: How to merge and make one result out of multiple results

raviteja029 — Sun, 07 Jan 2018 08:09:57 GMT

Thanks for the reply, this works!

How can I add multiple URI's like credit, trans, bank.... ?

where I am looking forward an output like below,

/credit/ . 80
/transaction/ . 100
/Bank/ . 50

Re: How to merge and make one result out of multiple results

niketn — Sun, 07 Jan 2018 16:37:17 GMT

[UPDATED]
Modified mock query based on updated details.

@raviteja029, can you post some sample URIs from your raw events with credit transaction and bank? Do they actually start like the example in your question i.e. /credit/... or is there something prefixing i.e..../credit/...? While posting the code and sample data make sure you use the code button (101010) so that special characters like asterisk (*) do not escape.

Following is a run anywhere search based on the sample data in the question. Pipes from makeresults till mvexpand mimic the sample data.

The eval command uses replace() function to retain only the first part of URI and then stats count by URI gives the required result you are looking for.

| makeresults
| eval URI="https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525"
 | makemv URI delim=";" 
 | mvexpand URI
 | eval URI=replace(URI,"^(.*).com\/([^\/]+)?+\/(.*)","\2")
 | stats count by URI

PS: You can try the following command in your case (if it does not work post actual URI values as per your events as requested):

 index=cap host=prod SERVICE="Credit" 
| eval URI=replace(URI,"^(.*).com\/([^\/]+)?+\/(.*)","\2")
| stats count by URI

Re: How to merge and make one result out of multiple results

raviteja029 — Sun, 07 Jan 2018 16:55:26 GMT

@aniketnilay Thank you for your response.

My actual query should go search the 3 URI's in the entire set of results which are
Credit, Bank, Transactions in the URI and the URI's of each something looks like below,

Bank - https://api-sandbox.****.com/bank/deposits/account-applications
- https://api-sandbox.****.com/bank/deposits/details
- https://api-sandbox.****.com/bank/application/

Credit - https://api-sandbox.****.com/credit/products?li/34141
- https://api-sandbox.****.com/credit/business/43414

here I want to get details where how many calls were made for each API for credit/Bank/Transactions and compare in once single graph

Re: How to merge and make one result out of multiple results

micahkemp — Sun, 07 Jan 2018 17:12:24 GMT

I think you just need to not filter for just the Credit events. I've updated my answer to reflect this.

Re: How to merge and make one result out of multiple results

raviteja029 — Sun, 07 Jan 2018 17:21:52 GMT

With the updated search it's not showing any result.

Re: How to merge and make one result out of multiple results

niketn — Wed, 10 Jan 2018 18:00:33 GMT

@raviteja029, can you try the updated answer?

Re: How to merge and make one result out of multiple results

raviteja029 — Wed, 10 Jan 2018 18:09:23 GMT

@niketnilay thank you for the response.

I was able to get the answer by using the below search, your answers helped me get there.

index=cap host=prod |
eval product=case(URI like "/credit/%","Credit",
URI like "/credit/%","Transactions",1==1, "Others")|
stats count by product