Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can i get only one data on column table instead of having multiple due to params?

DougiieDee
Explorer
‎08-13-2021 10:00 AM
operationNameurlsavg_timemax_timecount
MethodUsingGEThttps://www.google.com/api/v1/571114808/CAR.202
https://www.google.com/api/v1/571114899

325532552
UsingGEThttps://www.googleA.com/api/v1/571114888/api/
https://www.googleB.com/api/v1/571114877/api/


1316.889534518


I would only want one url but it should count others as well. Is there a way?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-13-2021 10:13 AM

What search did you use to get these results? What do your events look like?

0 Karma
Reply

DougiieDee
Explorer
‎08-13-2021 10:36 AM

index=*
| rex "(?i)\".*?\":(?P<operationId>\d+)(?=,)"
| rex "(?i)\".*?\":(?P<responseTime>\d+)(?=,)"
| rex "(?i)\".*?\":(?P<Url>\d+)(?=,)"
| stats values(Url) as urls, avg(responseTime) as avg_time, max(responseTime) as max_time, count by operationId

The results are in pretty in splunk but when i download the csv file all the results are in like 1 line and doesnt have data like it showed

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-13-2021 10:47 AM

Try something this

| stats avg(responseTime) as avg_time, max(responseTime) as max_time, count by operationId, Url
0 Karma
Reply

DougiieDee
Explorer
‎08-13-2021 11:31 AM

the results are like this

operationIdUrlavg_timemax_timecount
accountUsingGEThttps://*/api/account/history/sourceaccount1675.3333349143
accountUsingGEThttps://*/api/account/history/sourceaccount1324.7534510
LineUsingPOSThttps://*/api/lines/1012/activate122412241
LineUsingPOSThttps://*/api/lines/1014/activate101510151
LineUsingPOSThttps://*/api/lines/1017/activate150610151

 

but i only want one data from operationId and Url but it should count all and give avg response time as well, like this, is there a way?

operationIdUrlavg_timemax_timecount
accountUsingGEThttps://*/api/account/history/sourceaccount1675.33333491413
LineUsingPOSThttps://*/api/lines/1012/activate122412243

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-13-2021 01:49 PM

I don't think so - if you do stats by operationId, Url you will only get one row for each unique combination of these fields, which is what you said you wanted.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...