topic how to sum http get/post/ delete in log sample? in Splunk Search

how to sum http get/post/ delete in log sample?

jw44250 — Mon, 10 Apr 2017 18:17:01 GMT

Total Get =4

Total Post = 10
Total PUT=30

Log files example
index=index1
2017-04-08, logger="test1, AppId="100",", httpPort="8443", accept="", contentType="application/json", requestURI="/employees", httpMethod="POST",
2017-04-03, logger="test1, AppId="100",", httpPort="8443", accept="", contentType="application/json", requestURI="/employees", httpMethod="POST",
2017-04-02, logger="test1, AppId="100",", httpPort="8443", accept="", contentType="application/json", requestURI="/employees", httpMethod="POST",

index=index2
2017-03-03, logger="test2", AppId="200",", , accept="", contentType="application/json", requestURI="/employee/1234", httpMethod="GET",

index=index3
2017-02-01, logger="test1, AppId="300",", httpPort="8443", accept="", contentType="application/json", contentLength="267", requestURI="/employee/create", httpMethod="PUT",

Re: how to sum http get/post/ delete in log sample?

somesoni2 — Mon, 10 Apr 2017 19:20:45 GMT

Try like this

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) OR (index=index3 sourcetype=sourcetype3)
| stats count by httpMethod

Re: how to sum http get/post/ delete in log sample?

jw44250 — Mon, 10 Apr 2017 19:29:25 GMT

Hi,

Thanks...it would work..but my logs are different for each index ..
i can do something like

i was planning to do something like since the index result logs vary.. index=A | stats count by sourcetype | append [search index=B | stats count by sourcetype]

One more thing : i was trying to get full text from message below:

"exception(?\s\w+\s\w+)" --> result hello test but no acception, but i want full "exception hello test" whole text or statement

Re: how to sum http get/post/ delete in log sample?

somesoni2 — Mon, 10 Apr 2017 19:34:27 GMT

If you want it by sourcetype, just simple add the sourcetype in the by clause of the stats. Or event better use chart so you get nice table with httpMethod as columns, like this

(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) OR (index=index3 sourcetype=sourcetype3)
 | chart count by sourcetype httpMethod

To get the exception string also part of your field value, add it inside the capturing group.

... | rex  "(?<yourfieldname>exception\s\w+\s\w+)"

Re: how to sum http get/post/ delete in log sample?

jw44250 — Mon, 10 Apr 2017 19:54:47 GMT

Thanks it worked.. actually I did exactly..

Now i'm facing this issue how extract another event from the same log file and a called yourfieldname 2

rex "(?exception\s\w+\s\w+)" yourfieldname 1

rex "(?Message\s\w+\s\w+)" yourfieldname 2

but if i use pipe it will not works.

extracting multiple fields from the same index but differnet events
message 1 event1
message 2 event 2
etc