Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Grouping HTTP GET requests based on first directory

JaredYong
Explorer
‎10-18-2021 03:01 AM

Very new to splunk here. I would like to group each http request to each directory based on their directory, and produce a count for each and plot it in a pie chart.

GET /vendor, GET /Services, GET /config, GET /About

For example GET /vendor/vendor/auth/signin  and GET /vendor/vendor/browse should be classified under /vendor in a table.

my current query is wrong and doesn't show anything, modified it based on a GIAC paper.


index="apache_logs" | stats count by request | eval request=case(
request="GET /config*", "/config",
request="GET /vendor*", "/vendor",
request="GET /Services*", "/Services",
request="GET /About*", "/About")
request="GET /about*", "/about")
| top request limit=0 useother=f
| eval request=request." (".count." events, ".round(percent,2)."%)"

I would also like to differentiate requests to /about and /About 
 I hope this made sense. 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-18-2021 03:26 AM

Hi @JaredYong 

Can't give you a final query, however you can try using the combination of field extraction of /directory/ and stats it.

Example:

<your_base_query> "GET"
| rex field=request "\/(?<dir>\w+)\/" 
| stats count by dir

--

An upvote would be appreciated if this reply helps!

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-18-2021 03:32 AM 
index="apache_logs" 
| stats count by request 
| eval request=split(request,"/")
| eval request="/".mvindex(request,1)
| top request limit=0 useother=f
| eval request=request." (".count." events, ".round(percent,2)."%)"
Reply
Solved! Jump to solution

JaredYong
Explorer
‎10-18-2021 04:58 AM

Hi I have tried your solution, but it seems like its all categorized under /backend in the result, showing 30 events, while i should have 133 events. upon closer inspection, I noticed that each of the 30 events have their own count, which adds up to 133. How should I modify the solution such that it shows 133 instead of 30?

JaredYong_0-1634558225419.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-18-2021 05:15 AM

Change the order of the commands so that the directory is resolved before the counting

index="apache_logs" 
| eval request=split(request,"/")
| eval request="/".mvindex(request,1)
| stats count by request 
| top request limit=0 useother=f
| eval request=request." (".count." events, ".round(percent,2)."%)"
0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-18-2021 03:26 AM

Hi @JaredYong 

Can't give you a final query, however you can try using the combination of field extraction of /directory/ and stats it.

Example:

<your_base_query> "GET"
| rex field=request "\/(?<dir>\w+)\/" 
| stats count by dir

--

An upvote would be appreciated if this reply helps!

 

Tags (1)
Reply
Solved! Jump to solution

JaredYong
Explorer
‎10-18-2021 05:08 AM

one slight problem though, i am unable to put in the percentage for the pie chart, am i missing something here?

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎10-18-2021 04:26 PM

@JaredYong  Are you good with pie chart?

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

JaredYong
Explorer
‎10-18-2021 05:04 AM

Thank you for this solution! 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...