Splunk Search

How can i get only one data on column table instead of having multiple due to params?

DougiieDee
Explorer
operationNameurlsavg_timemax_timecount
MethodUsingGEThttps://www.google.com/api/v1/571114808/CAR.202
https://www.google.com/api/v1/571114899

325532552
UsingGEThttps://www.googleA.com/api/v1/571114888/api/
https://www.googleB.com/api/v1/571114877/api/


1316.889534518


I would only want one url but it should count others as well. Is there a way?

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What search did you use to get these results? What do your events look like?

0 Karma

DougiieDee
Explorer

index=*
| rex "(?i)\".*?\":(?P<operationId>\d+)(?=,)"
| rex "(?i)\".*?\":(?P<responseTime>\d+)(?=,)"
| rex "(?i)\".*?\":(?P<Url>\d+)(?=,)"
| stats values(Url) as urls, avg(responseTime) as avg_time, max(responseTime) as max_time, count by operationId

The results are in pretty in splunk but when i download the csv file all the results are in like 1 line and doesnt have data like it showed

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something this

| stats avg(responseTime) as avg_time, max(responseTime) as max_time, count by operationId, Url
0 Karma

DougiieDee
Explorer

the results are like this

operationIdUrlavg_timemax_timecount
accountUsingGEThttps://*/api/account/history/sourceaccount1675.3333349143
accountUsingGEThttps://*/api/account/history/sourceaccount1324.7534510
LineUsingPOSThttps://*/api/lines/1012/activate122412241
LineUsingPOSThttps://*/api/lines/1014/activate101510151
LineUsingPOSThttps://*/api/lines/1017/activate150610151

 

but i only want one data from operationId and Url but it should count all and give avg response time as well, like this, is there a way?

operationIdUrlavg_timemax_timecount
accountUsingGEThttps://*/api/account/history/sourceaccount1675.33333491413
LineUsingPOSThttps://*/api/lines/1012/activate122412243

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I don't think so - if you do stats by operationId, Url you will only get one row for each unique combination of these fields, which is what you said you wanted.

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...