Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Grouping similar results (URL)

ashwinkhai
Engager
‎01-23-2020 08:52 AM

I am trying to pull list of different URLs from a splunk query. The data is like below.

Sample data:
1. Need to group data like below as one - /v7/ap/deal/config?groupid
/v7/ap/deal/config?groupId=1234
/v7/ap/deal/config?groupId=4567
/v7/ap/deal/config?groupId=8910

  1. Need to group data like below as one - /v7/ap/deals/*/deals-allowed
    /v7/ap/deals/1234567/deals-allowed
    /v7/ap/deals/N32343Ds/deals-allowed
    /v7/ap/deals/F3e43Ds/deals-allowed

  2. Need to group datalike below as one -- /v1/deal/deals//deal-group/item?startdate

/v1/deal/deals/1234567/deal-group/item?startdate=2020-01-21
/v1/deal/deals/N1234/deal-group/item?startdate=2019-01-21
/v1/deal/deals/E2345/deal-group/item?startdate=2019-10-21
/v1/deal/deals/F2354/deal-group/item?startdate=2019-12-21

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

codebuilder
SplunkTrust
SplunkTrust
‎01-23-2020 10:45 AM

Use the "cluster" function. It is extremely useful and will do exactly what you're asking.

Example usage:

index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count

alt text

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution

ashwinkhai
Engager
‎01-23-2020 11:37 AM

Thanks alot for the information. Is it possible to use cluster command on one field. In my case it is url field alone.

0 Karma
Reply
Solved! Jump to solution

codebuilder
SplunkTrust
SplunkTrust
‎01-23-2020 11:53 AM

Glad to help. And yes, you can use this with any query, just pipe the results to cluster, and/or table any fields you want to display.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Solved! Jump to solution
Solution

codebuilder
SplunkTrust
SplunkTrust
‎01-23-2020 10:45 AM

Use the "cluster" function. It is extremely useful and will do exactly what you're asking.

Example usage:

index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count

alt text

----
An upvote would be appreciated and Accept Solution if it helps!
Preview file
1 KB
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...