Splunk Search

How can i get only one data on column table instead of having multiple due to params?

DougiieDee
Explorer
operationNameurlsavg_timemax_timecount
MethodUsingGEThttps://www.google.com/api/v1/571114808/CAR.202
https://www.google.com/api/v1/571114899

325532552
UsingGEThttps://www.googleA.com/api/v1/571114888/api/
https://www.googleB.com/api/v1/571114877/api/


1316.889534518


I would only want one url but it should count others as well. Is there a way?

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What search did you use to get these results? What do your events look like?

0 Karma

DougiieDee
Explorer

index=*
| rex "(?i)\".*?\":(?P<operationId>\d+)(?=,)"
| rex "(?i)\".*?\":(?P<responseTime>\d+)(?=,)"
| rex "(?i)\".*?\":(?P<Url>\d+)(?=,)"
| stats values(Url) as urls, avg(responseTime) as avg_time, max(responseTime) as max_time, count by operationId

The results are in pretty in splunk but when i download the csv file all the results are in like 1 line and doesnt have data like it showed

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something this

| stats avg(responseTime) as avg_time, max(responseTime) as max_time, count by operationId, Url
0 Karma

DougiieDee
Explorer

the results are like this

operationIdUrlavg_timemax_timecount
accountUsingGEThttps://*/api/account/history/sourceaccount1675.3333349143
accountUsingGEThttps://*/api/account/history/sourceaccount1324.7534510
LineUsingPOSThttps://*/api/lines/1012/activate122412241
LineUsingPOSThttps://*/api/lines/1014/activate101510151
LineUsingPOSThttps://*/api/lines/1017/activate150610151

 

but i only want one data from operationId and Url but it should count all and give avg response time as well, like this, is there a way?

operationIdUrlavg_timemax_timecount
accountUsingGEThttps://*/api/account/history/sourceaccount1675.33333491413
LineUsingPOSThttps://*/api/lines/1012/activate122412243

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I don't think so - if you do stats by operationId, Url you will only get one row for each unique combination of these fields, which is what you said you wanted.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...