Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract the meaningful fields from the logs

amitru
Engager
‎04-20-2022 04:55 AM

I want to get an API usage report per user and I am struggling with the Splunk Query for this, can someone please help with the query, I tried using rex but didn't get through.

 

In my app logs, I have a text like -

U87XXXX:ddddffggggggsss.REG.Currency [RestInterceptor]: RestRequest: URI : https://abc.net/api/curr

........  RequestBody: {"loginId": "U87XXXX"}

 

I want the output as

UserID                     URL                                                 COUNT 

U87XXXX        https://abc.net/api/curr                    5

U78XXXX       https://abc.net/api/xyz                     11 

 

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

Gr0und_Z3r0
Contributor
‎04-20-2022 05:01 AM

Hi @amitru 

Try something like this and then do a stats command to get insights.


 

|rex field=_raw "URI\s\:\s(?P<URL>[\w\:\/\.]+)"
|rex field=_raw "loginId\"\:\s\"(?P<UserID>[\w]+)\""
|stats count by UserID URL

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...