Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I filter partial duplicates?

Yukie
Observer
‎02-20-2023 03:18 AM

Hello,

I'm new to splunk (Internship) and couldn't find and answer.

I'd need a way to filter my search.

I'm curently using a ".... | ... | stats count by RequestPath" search.

The problem is that the "RequestPath" can contain variable/random data at the end.

 

Exemple:
x/y/first

x/y/second/randomText

x/y/second/randomText

x/y/third

 

 

There are millions outputs and i would like to filter them so i only keep :

x/y/first

x/y/second

x/y/third

Thanks 🙂

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2023 03:28 AM

Hi @Yukie,

you have to extract a part of the RequestPath using the rex command and use it for the stats command, something like this:

<your_search>
| rex field=RequestPath "\w+\/\w+\/(?<SubPath>[^\/\n]+)"
| stats count BY SubPath

Ciao.

Giuseppe

0 Karma
Reply

Yukie
Observer
‎02-20-2023 04:51 AM

Hi @gcusello ,
Thanks for the fast answer.

 

It definitly helped but I realised it's a bit more complicated that what i described.

Your suggestion gives as output :

first
second
third

Where i'd like to have te full path until there
x/y/first

x/y/second

x/y/third


Because there might be for exemple :
x/y/first

x/z/second/random.pdf

x/z/second/random.pdf

x/y/third

Not an expert in regex and even less in splunk regex synthax. Sorry if it sound like something so simple i should have found myself.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2023 05:01 AM

Hi @Yukie,

no problem, please try this regex 

^(?<SubPath>[^\/]+\/[^\/]+\/[^\/\n]+)

that you an test at https://regex101.com/r/0hzRax/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...