- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Group urls together for get requests that have GUI...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk noob here,
Wanted to group our get endpoints under a single entry. We have the following query
index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request" | stats count by "msg.Service.URL" |rename "msg.Service.URL" as "Endpoint"
The results come out as
http://endpoint.example.com/sh/bundles 4944
http://endpoint.example.com/sh/bundles/0043005f-a3ce-4f60-8f1d-0a8b076aecdf 3
http://endpoint.example.com/sh/bundles/0067cb65-1de0-4b8e-bdf9-39920f599961 2
http://endpoint.example.com/sh/bundles/008950c2-228c-4871-bab7-50dc01a3297a 2
http://endpoint.example.com/sh/bundles/00c100b8-47ec-4feb-86ae-99f635f8960f 2
http://endpoint.example.com/sh/bundles/00c63a13-2700-440d-b54e-1538db038a1e 2
http://endpoint.example.com/sh/bundles/00e220d1-4f68-487f-ae01-13999811ba31 2
http://endpoint.example.com/sh/bundles/01485473-4b49-4eb8-9a4f-ea5c61f3fe7a 2
http://endpoint.example.com/sh/bundles/0164d5d2-3624-40ca-bf4c-6a3619aead00 2
I want the results with guid be grouped under a single value. So the desired output here would be
http://endpoint.example.com/sh/bundles 4944 (stays the same)
http://endpoint.example.com/sh/bundles/* 17 (the sum of all the endpoint counts with guid)
Trying to use the query like the following without any luck
| eval msg.Service.URL=case(like(msg.Service.URL, "http://endpoint.example.com/sh/bundles/%"), "http://endpoint.example.com/sh/bundles/*", 1=1, 'msg.Service.URL')
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @ak8675309
Try this,
index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request"
| rename "msg.Service.URL" as Endpoint
| rex field=Endpoint mode=sed "s/bundles\/[\w-]+/bundles\/*/g"
| stats count by Endpoint
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @ak8675309
Try this,
index=reporting sourcetype=elilogs cf_app_name=endpoint* "Results.Message"="inbound request"
| rename "msg.Service.URL" as Endpoint
| rex field=Endpoint mode=sed "s/bundles\/[\w-]+/bundles\/*/g"
| stats count by Endpoint
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this definitely helps me get the behavior.. just need to tweak the regex to suit my needs. Appreciate your help
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
