Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Grouping HTTP GET requests based on first directory

JaredYong
Explorer
‎10-18-2021 03:01 AM

Very new to splunk here. I would like to group each http request to each directory based on their directory, and produce a count for each and plot it in a pie chart.

GET /vendor, GET /Services, GET /config, GET /About

For example GET /vendor/vendor/auth/signin  and GET /vendor/vendor/browse should be classified under /vendor in a table.

my current query is wrong and doesn't show anything, modified it based on a GIAC paper.


index="apache_logs" | stats count by request | eval request=case(
request="GET /config*", "/config",
request="GET /vendor*", "/vendor",
request="GET /Services*", "/Services",
request="GET /About*", "/About")
request="GET /about*", "/about")
| top request limit=0 useother=f
| eval request=request." (".count." events, ".round(percent,2)."%)"

I would also like to differentiate requests to /about and /About 
 I hope this made sense. 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-18-2021 03:26 AM

Hi @JaredYong 

Can't give you a final query, however you can try using the combination of field extraction of /directory/ and stats it.

Example:

<your_base_query> "GET"
| rex field=request "\/(?<dir>\w+)\/" 
| stats count by dir

--

An upvote would be appreciated if this reply helps!

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-18-2021 03:32 AM 
index="apache_logs" 
| stats count by request 
| eval request=split(request,"/")
| eval request="/".mvindex(request,1)
| top request limit=0 useother=f
| eval request=request." (".count." events, ".round(percent,2)."%)"
Reply
Solved! Jump to solution

JaredYong
Explorer
‎10-18-2021 04:58 AM

Hi I have tried your solution, but it seems like its all categorized under /backend in the result, showing 30 events, while i should have 133 events. upon closer inspection, I noticed that each of the 30 events have their own count, which adds up to 133. How should I modify the solution such that it shows 133 instead of 30?

JaredYong_0-1634558225419.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-18-2021 05:15 AM

Change the order of the commands so that the directory is resolved before the counting

index="apache_logs" 
| eval request=split(request,"/")
| eval request="/".mvindex(request,1)
| stats count by request 
| top request limit=0 useother=f
| eval request=request." (".count." events, ".round(percent,2)."%)"
0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-18-2021 03:26 AM

Hi @JaredYong 

Can't give you a final query, however you can try using the combination of field extraction of /directory/ and stats it.

Example:

<your_base_query> "GET"
| rex field=request "\/(?<dir>\w+)\/" 
| stats count by dir

--

An upvote would be appreciated if this reply helps!

 

Tags (1)
Reply
Solved! Jump to solution

JaredYong
Explorer
‎10-18-2021 05:08 AM

one slight problem though, i am unable to put in the percentage for the pie chart, am i missing something here?

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎10-18-2021 04:26 PM

@JaredYong  Are you good with pie chart?

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

JaredYong
Explorer
‎10-18-2021 05:04 AM

Thank you for this solution! 

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...