All Apps and Add-ons

Need a querry to triage an api on all possible hosts.

vikram_m
Path Finder

We have around 10 hosts with similar APIs i.e 20. something like below.

/api/v1/device/host1
/api/v1/device/host2
/api/v1/device/host3
/api/v1/device/host4
/api/v1/device/host5
/api/v1/device/host1/provisioning/
/api/v1/device/host2/provisioning/
/api/v1/device/host3/provisioning/
/api/v1/device/host5/provisioning/
/api/v1/device/host6/provisioning/
/api/v1/device/host7/provisioning/
/api/v1/device/host1/authentication
/api/v1/device/host2/authentication
/api/v1/device/host3/authentication
/api/v1/device/host3/authentication
/api/v1/device/host4/authentication
/api/v1/device/host5/authentication

based on these set of 20 apis and 10 devices I need a querry which can give me stats for the individual apis irrespective of devices something like below.

/api/v1/device//authentication/ 10
/api/v1/device/
/provisioning/ 20
/api/v1/device/* 12

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vikram_m

You can use the regular expression for extracting devices and apis from URL and use stats command to get the desired output.

try this rex command for extracting.

| rex field=_raw "\/api\/v1\/device\/(?<device>[^\/]+)(\/(?<api>[^\/]+))?"

Then after you can use stats command.

like.

For distinct devices : | stats dc(device) as devices
For count by api: | stats count by api

Use this sample search:

|makeresults | eval _raw="
URL
/api/v1/device/host1
/api/v1/device/host2
/api/v1/device/host3
/api/v1/device/host4
/api/v1/device/host5
/api/v1/device/host1/provisioning/
/api/v1/device/host2/provisioning/
/api/v1/device/host3/provisioning/
/api/v1/device/host5/provisioning/
/api/v1/device/host6/provisioning/
/api/v1/device/host7/provisioning/
/api/v1/device/host1/authentication
/api/v1/device/host2/authentication
/api/v1/device/host3/authentication
/api/v1/device/host3/authentication
/api/v1/device/host4/authentication
/api/v1/device/host5/authentication
"| multikv | rex field=_raw "\/api\/v1\/device\/(?[^\/]+)(\/(?[^\/]+))?" | stats dc(device) as devices
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...