Splunk Search

How can i get only one data on column table instead of having multiple due to params?

DougiieDee
Explorer
operationNameurlsavg_timemax_timecount
MethodUsingGEThttps://www.google.com/api/v1/571114808/CAR.202
https://www.google.com/api/v1/571114899

325532552
UsingGEThttps://www.googleA.com/api/v1/571114888/api/
https://www.googleB.com/api/v1/571114877/api/


1316.889534518


I would only want one url but it should count others as well. Is there a way?

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What search did you use to get these results? What do your events look like?

0 Karma

DougiieDee
Explorer

index=*
| rex "(?i)\".*?\":(?P<operationId>\d+)(?=,)"
| rex "(?i)\".*?\":(?P<responseTime>\d+)(?=,)"
| rex "(?i)\".*?\":(?P<Url>\d+)(?=,)"
| stats values(Url) as urls, avg(responseTime) as avg_time, max(responseTime) as max_time, count by operationId

The results are in pretty in splunk but when i download the csv file all the results are in like 1 line and doesnt have data like it showed

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something this

| stats avg(responseTime) as avg_time, max(responseTime) as max_time, count by operationId, Url
0 Karma

DougiieDee
Explorer

the results are like this

operationIdUrlavg_timemax_timecount
accountUsingGEThttps://*/api/account/history/sourceaccount1675.3333349143
accountUsingGEThttps://*/api/account/history/sourceaccount1324.7534510
LineUsingPOSThttps://*/api/lines/1012/activate122412241
LineUsingPOSThttps://*/api/lines/1014/activate101510151
LineUsingPOSThttps://*/api/lines/1017/activate150610151

 

but i only want one data from operationId and Url but it should count all and give avg response time as well, like this, is there a way?

operationIdUrlavg_timemax_timecount
accountUsingGEThttps://*/api/account/history/sourceaccount1675.33333491413
LineUsingPOSThttps://*/api/lines/1012/activate122412243

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I don't think so - if you do stats by operationId, Url you will only get one row for each unique combination of these fields, which is what you said you wanted.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...