Re: Calculate traffic split based on URI prefix

johntopley · ‎03-27-2014

Hi,

The traffic in our application is routed according to a URI prefix, for example: uri_path=/foo/* or uri_path=/bar/*. How can I produce a pie chart that simply shows the percentage of traffic that went to each uri_path?

jdgifford · ‎11-17-2014

I have a similar situation and found MuS's proposed solution to point me in the right direction. I was getting multi-valued fields for my uri_prefix and discovered that max_match=0 seemed to be causing that. So, changing max_match=1 (the default) got me what I was looking for.

base_search | rex field=uri_path max_match=1 "(?<uri_prefix>/[^/]+)" | stats count by uri_prefix

MuS · ‎03-28-2014

Hi johntopley,

try something like this:

... | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | ...

cheers, MuS

MuS · ‎03-28-2014

sure it will not group anything, because there is no stats nor any other command which will do that. So if you take the updated search and add a stats to it will that match your needs?

your base search uri_path=/foo/* OR uri_path=/bar/* | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | stats count by uri_prefix

I can only try to help and try to lead you, but I cannot write a complete search because I don't have your data....

johntopley · ‎03-28-2014

It doesn't group the requests into those that start with /foo/* and those that start with /bar/*.

MuS · ‎03-28-2014

how about this:

your base search uri_path=/foo/* OR uri_path=/bar/* | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | dedup uri_prefix | ...

johntopley · ‎03-28-2014

Thanks, but it gives 100s of different values for uri_prefix instead of the two I want.

johntopley · ‎03-28-2014

No, still the same.

somesoni2 · ‎03-27-2014

Try the updated search '| rex field=uri_path "^/(?[^/]*)"'. This gives 'bar' and 'foo' from the uri.

johntopley · ‎03-27-2014

Thanks, but it still gives 100s of different values for uri_prefix instead of the two I want.

somesoni2 · ‎03-27-2014

It seems slashes were removed in the comment field. try this.

your base search| rex field=uri_path "^/(?[^/]*)"| stats count by uri_prefix

johntopley · ‎03-27-2014

I get > 100 different values for the uri_prefix field. Lots of different URLs that start with /foo or /bar.

somesoni2 · ‎03-27-2014

With the search "your base search| rex field=uri_path "^(?.*)/"", what values you're getting in the field uri_prefix?

johntopley · ‎03-27-2014

I don't think that does what I need. I'm expecting two figures: one for all uri_paths that start with /foo and another for all uri_paths that start with /bar.

somesoni2 · ‎03-27-2014

Then (based on your example, your just need first part of uri, '/foo' and '/bar'), try this.

your base search| rex field=uri_path "^(?.*)\/"| stats count by uri_prefix

johntopley · ‎03-27-2014

Thanks, but uri_path contains numerous values. I need the grouping by uri_path prefix.

somesoni2 · ‎03-27-2014

If this field is extracted try this.

your base search | stats count by uri_path
or
your base search | chart count by uri_path

and use pie chart as visualisation.

Calculate traffic split based on URI prefix

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM