Splunk noob here,
Wanted to group our get endpoints under a single entry. We have the following query
index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request" | stats count by "msg.Service.URL" |rename "msg.Service.URL" as "Endpoint"
The results come out as
http://endpoint.example.com/sh/bundles 4944
http://endpoint.example.com/sh/bundles/0043005f-a3ce-4f60-8f1d-0a8b076aecdf 3
http://endpoint.example.com/sh/bundles/0067cb65-1de0-4b8e-bdf9-39920f599961 2
http://endpoint.example.com/sh/bundles/008950c2-228c-4871-bab7-50dc01a3297a 2
http://endpoint.example.com/sh/bundles/00c100b8-47ec-4feb-86ae-99f635f8960f 2
http://endpoint.example.com/sh/bundles/00c63a13-2700-440d-b54e-1538db038a1e 2
http://endpoint.example.com/sh/bundles/00e220d1-4f68-487f-ae01-13999811ba31 2
http://endpoint.example.com/sh/bundles/01485473-4b49-4eb8-9a4f-ea5c61f3fe7a 2
http://endpoint.example.com/sh/bundles/0164d5d2-3624-40ca-bf4c-6a3619aead00 2
I want the results with guid be grouped under a single value. So the desired output here would be
http://endpoint.example.com/sh/bundles 4944 (stays the same)
http://endpoint.example.com/sh/bundles/* 17 (the sum of all the endpoint counts with guid)
Trying to use the query like the following without any luck
| eval msg.Service.URL=case(like(msg.Service.URL, "http://endpoint.example.com/sh/bundles/%"), "http://endpoint.example.com/sh/bundles/*", 1=1, 'msg.Service.URL')
hi @ak8675309
Try this,
index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request"
| rename "msg.Service.URL" as Endpoint
| rex field=Endpoint mode=sed "s/bundles\/[\w-]+/bundles\/*/g"
| stats count by Endpoint
If this reply helps you, an upvote/like would be appreciated.
hi @ak8675309
Try this,
index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request"
| rename "msg.Service.URL" as Endpoint
| rex field=Endpoint mode=sed "s/bundles\/[\w-]+/bundles\/*/g"
| stats count by Endpoint
If this reply helps you, an upvote/like would be appreciated.
Thanks, this definitely helps me get the behavior.. just need to tweak the regex to suit my needs. Appreciate your help