display selected urls in the output which has nonz...

sahil237888 · ‎08-16-2020

Hi Team,

Can you help as I want only selected url's to display in my query output.

index=dev_env sourcetype="urldata" URL ="*" LoadTime="*"
| timechart span=1m eval(round(avg(LoadTime),0)) as TimeUsedtoload by URL
| fields + _time "https://www.pingtest.com/Logins/Login.aspx?testid=1578&actid=21047" https://www.pingtest.com/*/testing.aspx" "https://www.othertest.com/Logins/*.aspx"

The output includes all the URL's like -

_time https://www.servermonitor/server.aspx?filetype_id=474&mode=new https://www.pingtest.com/Testdata.aspx https://www.pingtest.com/Logins/Login.aspx?testid=1578&actid=21047 and_other_multipleurls

I want to display only URL's which are like " https://www.pingtest.com/Logins/Login.aspx?testid=1578&actid=21047" " https://www.pingtest.com/Logins/Login.aspx" " https://www.othertest.com/Logins/Login.aspx?testid=1578&"

and from above which are having not null values.

niketn · ‎08-16-2020

@sahil237888 you should filter URLs upfront while pulling from index (Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Search/Quicktipsforoptimization) . So if you are interested only in specific URLs you should add them to first SPL i.e.

index=dev_env sourcetype="urldata" URL IN ("https://www.pingtest.com/Logins/Login.aspx*","https://www.othertest.com/Logins/Login.aspx*") 
| timechart span=1m eval(round(avg(LoadTime),0)) as TimeUsedtoload by URL

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

isoutamo · ‎08-16-2020

Hi

add before stats

| where ( match(URL,"https://www.pingtest.com/<rest of static URL>%) AND match(URL, "<your Second static URL>%"))

and add there as many match part as needed.
r. Ismo

display selected urls in the output which has nonzero values

timechart

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout