Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Get count of rows from a value which is a part of the message in the log file

smarak_das01
New Member
‎08-25-2014 04:08 AM

Our requirement is to get the count and location of a build that has been downloaded multiple times from one source file(builddwnld). These location of the builds are retrieved from another source file(buildupld).
For exa:
index="buildupld" status=200 | top 200 location | table location
This gives the output as location "abc/content/buildabc".

But in builddwnld source file, there are no field as location, but we get the whole log file row message in which location is just a part of a big string in the log. For exa :
index="builddwnld" "abc/content/buildabc"
This query gives the below output:-
[24/Aug/2014:23:48:41 -0700] 0 "GET /content/downloads/abc/content/buildabc/abc287.pkg HTTP/1.1" 200 50

If we do index="builddwnld" "abc/content/buildabc" | stats count then it gives just the count.

So, basically we need to form one single query in which we need to use the location value(which we get from the first query from buildupld source) as the input parameter to get the count of the number of times it has been downloaded and the location from builddwnld source(Final output should contain 2 columns count and location).

Kindly help us out to resolve this issue.

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎08-25-2014 06:03 AM

Try this (slow, using map command)

index="buildupld" status=200 | top 200 location | table location 
| map maxsearches=20 search="index=builddwnld \"$location$\"" | eval location=\"$location\"  | stats count by location"
0 Karma
Reply

smarak_das01
New Member
‎08-25-2014 08:49 PM

Yes, the URI path value always has this specific pattern, i.e.
/content/downloads/abc/content/buildabc/abc287.pkg
and the location value always starts with the 3rd folder in the path.

0 Karma
Reply

somesoni2
Revered Legend
‎08-25-2014 06:08 AM

Also, is there any specific pattern about the uri_path value ( /content/downloads/abc/content/buildabc/abc287.pkg) in builddwnld index data, like its always has "/content/downloads/" before location OR the location value "/abc/content/buildabc" always starts with 3rd folder in the path?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...