Solved: Group urls together for get requests that have GUI...

ak8675309 · ‎01-24-2021

Splunk noob here,

Wanted to group our get endpoints under a single entry. We have the following query

index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request" | stats count by "msg.Service.URL" |rename "msg.Service.URL" as "Endpoint"

The results come out as

I want the results with guid be grouped under a single value. So the desired output here would be

http://endpoint.example.com/sh/bundles 4944 (stays the same)
http://endpoint.example.com/sh/bundles/* 17 (the sum of all the endpoint counts with guid)

Trying to use the query like the following without any luck

| eval msg.Service.URL=case(like(msg.Service.URL, "http://endpoint.example.com/sh/bundles/%"), "http://endpoint.example.com/sh/bundles/*", 1=1, 'msg.Service.URL')

manjunathmeti · ‎01-24-2021

hi @ak8675309

Try this,

index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request" 
| rename "msg.Service.URL" as Endpoint 
| rex field=Endpoint mode=sed "s/bundles\/[\w-]+/bundles\/*/g" 
| stats count by Endpoint

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

manjunathmeti · ‎01-24-2021

hi @ak8675309

Try this,

index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request" 
| rename "msg.Service.URL" as Endpoint 
| rex field=Endpoint mode=sed "s/bundles\/[\w-]+/bundles\/*/g" 
| stats count by Endpoint

If this reply helps you, an upvote/like would be appreciated.

ak8675309 · ‎01-25-2021

Thanks, this definitely helps me get the behavior.. just need to tweak the regex to suit my needs. Appreciate your help

Group urls together for get requests that have GUID in them

eval

regex

rex

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio