I have paths like this:
https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/
https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/service-data/op...
https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/service-data/uc...
I tried:
index=abc sourcetype="audit" "|https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/*/|"
The wildcard * is capturing above three as single API, I need them as three separate ones. All help is appreciated.
index=abc sourcetype="audit" | rex field=_raw "/service-list/(?<api>[^/]+)/" | stats count by api
The rex command will run a regular expression over the strings, grab the portion that follows /service-list/ and stores it in the field 'api'. The stats count command counts the frequency of each unique api, giving you the usage.
The portion that follows "/service-list/" is unique id and is followed by "/service-data/oper-status/" ..........so I need count like this:
1. https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/service-data/op... ---1000
2. https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/service-data/uc... ----970
3. https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/ -----500
The 3rd APIs count should not include counts of 1st and 2nd though the path looks like superset of 1 and 2
So what you actually want to capture is everything up until the pipe | symbol. In this case, this is the regular expression
index=abc sourcetype="audit" | rex field=_raw "/service-list/(?[^|]+)|" | stats count by api
You have these paths inside events?
Also, you have pipe characters inside your search - from that I assume you trimmed the events you are displaying here? Could you instead paste the full event - just pick one, obfuscating if necessary but please try to keep the structure the same?
2017-05-12T14:44:40:995+00:00|2017-05-12T14:44:40:999+00:00|xaxaxabb-eb88-4b9a-xxxx-83xxxx38a6|v2.0/sites/site/mccfl/ports/port/xaxaxabb-eb88-4b9a-xsss-83xxdd38a6|1967149302-19938||https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/|admin|COMPLETE...