Dashboards & Visualizations

splunk query to construct the table as needed

super_edition
Path Finder

Hello Everyone,

With the below query

 

 

 

<my_search_index>
| spath uri | search uri="/vehicle/orders/v1" OR uri="/vehicle/orders/v1*/validate" OR uri="/vehicle/orders/v1*/process" OR  uri="/vehicle/orders/v1*/processInsurance"
| eval Operations=case(
searchmatch("/vehicle/orders/v1*/processInsurance"),"processInsurance",
searchmatch("/vehicle/orders/v1/*/validate"),"validateOrder",
searchmatch("/vehicle/orders/v1/*/process"),"processOrder",
searchmatch("/vehicle/orders/v1"),"createOrder")
| stats count as hits avg(request_time) as average perc90(request_time) as response90 by Operations
| eval average=round(average,2),response90=round(response90,2)

 

 

 

 I am able to construct the table:

super_edition_0-1722512619912.png

Apart from the 4 url patterns mentioned in query I need to include following url pattern for getOrder

uri: /vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179

from the raw splunk log

{
"request_timestamp ": "02/Jan/1984:09:05:04",
"response_timestamp": "01/Jan/1984:09:05:04 +0000",
"kong_request_id": "my_kong_req_id",
"ek-correlation-id": "my_corr_id",
"ek-request-id": "my_req_id",
"ek-transaction-id": "",
"req_id": "",
"channel_name": "",
"logType": "kong",
"traceparent": "0traceparent",
"request_method": "GET",
"remote_addr": "1.2.3.4",
"server_addr": "5.5.6.6",
"scheme": "https",
"host": "my.host.com",
"status": 200,
"request_method": "GET",
"uri": "/vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179",
"server_protocol": "HTTP/1.1",
"bytes_sent": 23663,
"body_bytes_sent": 23547,
"request_length": 1367,
"http_referer": "-",
"http_user_agent": "-",
"request_time": "0.010",
"upstream_response_time": "0.008",
"upstream_addr": "1.3.5.7",
"http_content_type": "application/json",
"upstream_host": "my.host.com"
}

Not sure how do I change my query to include the required url pattern. If I try this: /vehicle/orders/v1/*   or /vehicle/orders/v1/*-*-*-*-*

it might include the count of below patterns as well:

/payment/orders/v1*/processInsurance
/payment/orders/v1/*/validate
/payment/orders/v1/*/process

/payment/orders/v1

Appreciate your help.

Labels (1)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

OK Assuming there are no more typos in your examples, try something like this

<my_search_index>
| spath uri
| regex uri="\/vehicle\/orders\/v1(|.*\/processInsurance|\/.*\/validate|\/.*\/validateInsurance|\/.*\/process|\/([^-]+-){4}[^-]+)$"
| eval Operations=case(
match(uri,"/vehicle/orders/v1/.*/processInsurance"),"processInsurance",
match(uri,"/vehicle/orders/v1/.*/validateInsurance"),"validateInsurance",
match(uri,"/vehicle/orders/v1/.*/validate"),"validateOrder",
match(uri,"/vehicle/orders/v1/.*/process"),"processOrder",
match(uri,"/vehicle/orders/v1/[^-]*-[^-]*-[^-]*-[^-]*-[^-]*"),"getOrder",
match(uri,"/vehicle/orders/v1"),"createOrder")
| stats count as hits avg(request_time) as average perc90(request_time) as response90 by Operations
| eval average=round(average,2),response90=round(response90,2)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<my_search_index>
| spath uri
| regex uri="\/vehicle\/orders\/v1(.*\/processInsurance|\/.*\/validate|\/.*\/process|\/([^-]+-){4}[^-]+)$"
| eval Operations=case(
searchmatch("/vehicle/orders/v1*/processInsurance"),"processInsurance",
searchmatch("/vehicle/orders/v1/*/validate"),"validateOrder",
searchmatch("/vehicle/orders/v1/*/process"),"processOrder",
searchmatch("/vehicle/orders/v1/*-*-*-*-*"),"getOrder",
searchmatch("/vehicle/orders/v1"),"createOrder")
| stats count as hits avg(request_time) as average perc90(request_time) as response90 by Operations
| eval average=round(average,2),response90=round(response90,2)
0 Karma

super_edition
Path Finder

Thanks @ITWhisperer 

with your splunk query currently I am able to list below url pattern only

/vehicle/orders/v1/dbd20er9-g7c3-4e71-z089-gc1ga8272179
/vehicle/orders/v1/*/processInsurance
/vehicle/orders/v1/*/validateInsurance
/vehicle/orders/v1/*/validate
/vehicle/orders/v1/*/process

I missed to include 1 more pattern.

/vehicle/orders/v1   (new one)


Please help. Thanks in advance

 

 

 

Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK Assuming there are no more typos in your examples, try something like this

<my_search_index>
| spath uri
| regex uri="\/vehicle\/orders\/v1(|.*\/processInsurance|\/.*\/validate|\/.*\/validateInsurance|\/.*\/process|\/([^-]+-){4}[^-]+)$"
| eval Operations=case(
match(uri,"/vehicle/orders/v1/.*/processInsurance"),"processInsurance",
match(uri,"/vehicle/orders/v1/.*/validateInsurance"),"validateInsurance",
match(uri,"/vehicle/orders/v1/.*/validate"),"validateOrder",
match(uri,"/vehicle/orders/v1/.*/process"),"processOrder",
match(uri,"/vehicle/orders/v1/[^-]*-[^-]*-[^-]*-[^-]*-[^-]*"),"getOrder",
match(uri,"/vehicle/orders/v1"),"createOrder")
| stats count as hits avg(request_time) as average perc90(request_time) as response90 by Operations
| eval average=round(average,2),response90=round(response90,2)
0 Karma

super_edition
Path Finder

Thanks once again @ITWhisperer  It works as expected.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...