Solved: Re: Disabling the effect of wildcard in a Query

shabdadev · ‎07-02-2017

Hi All ,

I have this query :

index=no host=los*  sourcetype= plp  (  path=/desktop /pl/* ) OR ( path=/mobile/pl/*   ) |  stats perc95(responseTime) as "95th Perc Response Time" by path

I Want the result to come like this as shown below( coagulated response time for the desktop and mobile separately ) :

Path                                                           95th Perc Response Time
/desktop/pl/*                                            234
/mobile/pl/*                                              2344

But the result is showing all the url's in path section just because i have used a wildcard in that place .

how to modify this query to get the expected the result. ??

javiergn · ‎07-03-2017

Try this instead (NOT TESTED so there might be typos):

index=no host=los*  sourcetype= plp  (path="/desktop/pl/*" OR  path="/mobile/pl/*") 
| eval pathSummary = if(match(path, "/desktop/pl/*"), "/desktop/pl/*", "/mobile/pl/*")
|  stats perc95(responseTime) as "95th Perc Response Time" by pathSummary

The second line groups your paths based on your preferences and then assigns that into a new field that you can use in your stats.

Thanks,
J

View solution in original post

niketn · ‎07-03-2017

Since you have only two paths (or systems) i.e. desktop and mobile in your base search. Following should work:

 index="no" host="los*"  sourcetype="plp"  (  path="/desktop/pl/*" ) OR ( path="/mobile/pl/*"   ) 
| eval path=if(match(path,"desktop"),"desktop","mobile")
| stats perc95(responseTime) as "95th Perc Response Time" by path

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎07-03-2017

Oh too late. You already got your answer 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

shabdadev · ‎07-03-2017

hahahha Thanks you Niket too....i guess logic is same in both . Thanks again 🙂

javiergn · ‎07-03-2017

Try this instead (NOT TESTED so there might be typos):

index=no host=los*  sourcetype= plp  (path="/desktop/pl/*" OR  path="/mobile/pl/*") 
| eval pathSummary = if(match(path, "/desktop/pl/*"), "/desktop/pl/*", "/mobile/pl/*")
|  stats perc95(responseTime) as "95th Perc Response Time" by pathSummary

The second line groups your paths based on your preferences and then assigns that into a new field that you can use in your stats.

Thanks,
J

shabdadev · ‎07-03-2017

Thanks a lot 🙂 ..it worked

niketn · ‎07-03-2017

@shabdadev, in order to avoid your code from getting escaped, use the code button (101010) while posting your query. Please try to Edit your question and re-post with code button query and sample table.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

shabdadev · ‎07-03-2017

HI Niket i have modified the post ..please see again

Disabling the effect of wildcard in a Query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

Disabling the effect of wildcard in a Query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability