Splunk Search

Calculate traffic split based on URI prefix

johntopley
Explorer

Hi,

The traffic in our application is routed according to a URI prefix, for example: uri_path=/foo/* or uri_path=/bar/*. How can I produce a pie chart that simply shows the percentage of traffic that went to each uri_path?

0 Karma

jdgifford
Engager

I have a similar situation and found MuS's proposed solution to point me in the right direction. I was getting multi-valued fields for my uri_prefix and discovered that max_match=0 seemed to be causing that. So, changing max_match=1 (the default) got me what I was looking for.

base_search | rex field=uri_path max_match=1 "(?<uri_prefix>/[^/]+)" | stats count by uri_prefix
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi johntopley,

try something like this:

... | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

sure it will not group anything, because there is no stats nor any other command which will do that. So if you take the updated search and add a stats to it will that match your needs?

your base search uri_path=/foo/* OR uri_path=/bar/* | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | stats count by uri_prefix

I can only try to help and try to lead you, but I cannot write a complete search because I don't have your data....

johntopley
Explorer

It doesn't group the requests into those that start with /foo/* and those that start with /bar/*.

0 Karma

MuS
SplunkTrust
SplunkTrust

how about this:

your base search uri_path=/foo/* OR uri_path=/bar/* | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | dedup uri_prefix | ...

0 Karma

johntopley
Explorer

Thanks, but it gives 100s of different values for uri_prefix instead of the two I want.

0 Karma

johntopley
Explorer

No, still the same.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try the updated search '| rex field=uri_path "^/(?[^/]*)"'. This gives 'bar' and 'foo' from the uri.

0 Karma

johntopley
Explorer

Thanks, but it still gives 100s of different values for uri_prefix instead of the two I want.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

It seems slashes were removed in the comment field. try this.

your base search| rex field=uri_path "^/(?[^/]*)"| stats count by uri_prefix

0 Karma

johntopley
Explorer

I get > 100 different values for the uri_prefix field. Lots of different URLs that start with /foo or /bar.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

With the search "your base search| rex field=uri_path "^(?.*)/"", what values you're getting in the field uri_prefix?

0 Karma

johntopley
Explorer

I don't think that does what I need. I'm expecting two figures: one for all uri_paths that start with /foo and another for all uri_paths that start with /bar.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Then (based on your example, your just need first part of uri, '/foo' and '/bar'), try this.

your base search| rex field=uri_path "^(?.*)\/"| stats count by uri_prefix

johntopley
Explorer

Thanks, but uri_path contains numerous values. I need the grouping by uri_path prefix.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If this field is extracted try this.

your base search | stats count by uri_path
or
your base search | chart count by uri_path

and use pie chart as visualisation.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...