Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

parsing specific area of a field

angelboshnakov
New Member
‎10-12-2014 03:39 AM

Hello all,

just wondering if it is possible and how to do the following search?

Got a field with URLs ( for example: /v0.1/first/second/third?= ) and a field with IPs that have hit each URL.

ex:
"URL /v0.1/first/second/third=12 IP: 10.10.10.10 "
"URL /v0.1/first/second/third=123 IP: 11.11.11.11 "
"URL /v0.1/first/second/third=1234 IP: 12.12.12.12"
"URL /v0.1/first/second/123 IP: 13.13.13.13 "
"URL /v0.1/first/1234 IP: 13.13.13.13"

How should I make my search in order to:

match and count the number of hits per IP against each URL (the tricky part: by parsing and counting the URLs in total /v0.1/first/ without the rest of the URL) to get total count of hits per all URLs, per minute, per hour and per IP)

It's not definitely all of this to be in one search ( one for total counts, one for per minute etc )

so far I've come with:

source="....." | stats dc(URL) as count by URL,IP | sort -count
and it shows me a field with URLs, IP, and count of URL<->IP hits

yep.. I know.. splunk noob here

Any ideas will be much appreciated 🙂

0 Karma
Reply

woodcock
Esteemed Legend
‎06-23-2015 03:01 PM

I do not understand what you mean but I think that this should give you more than you need:

... | rex field=URL "^(?<URL3segments>(?:[^/]/){3})" | stats count as hits dc(URL) values(URL) dc(IP) values(IP) by URL3segments
0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎06-23-2015 12:40 PM

it sounds like you want to extract a portion of the URL into its own field correct?
/v0.1/first

0 Karma
Reply

somesoni2
Revered Legend
‎10-12-2014 06:25 PM

Is there any specific rule that can be set here about URL portion to be counted, only the first Two segments to be counted?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...