Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can i get only one data on column table instead of having multiple due to params?

DougiieDee
Explorer
‎08-13-2021 10:00 AM
operationNameurlsavg_timemax_timecount
MethodUsingGEThttps://www.google.com/api/v1/571114808/CAR.202
https://www.google.com/api/v1/571114899

325532552
UsingGEThttps://www.googleA.com/api/v1/571114888/api/
https://www.googleB.com/api/v1/571114877/api/


1316.889534518


I would only want one url but it should count others as well. Is there a way?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-13-2021 10:13 AM

What search did you use to get these results? What do your events look like?

0 Karma
Reply

DougiieDee
Explorer
‎08-13-2021 10:36 AM

index=*
| rex "(?i)\".*?\":(?P<operationId>\d+)(?=,)"
| rex "(?i)\".*?\":(?P<responseTime>\d+)(?=,)"
| rex "(?i)\".*?\":(?P<Url>\d+)(?=,)"
| stats values(Url) as urls, avg(responseTime) as avg_time, max(responseTime) as max_time, count by operationId

The results are in pretty in splunk but when i download the csv file all the results are in like 1 line and doesnt have data like it showed

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-13-2021 10:47 AM

Try something this

| stats avg(responseTime) as avg_time, max(responseTime) as max_time, count by operationId, Url
0 Karma
Reply

DougiieDee
Explorer
‎08-13-2021 11:31 AM

the results are like this

operationIdUrlavg_timemax_timecount
accountUsingGEThttps://*/api/account/history/sourceaccount1675.3333349143
accountUsingGEThttps://*/api/account/history/sourceaccount1324.7534510
LineUsingPOSThttps://*/api/lines/1012/activate122412241
LineUsingPOSThttps://*/api/lines/1014/activate101510151
LineUsingPOSThttps://*/api/lines/1017/activate150610151

 

but i only want one data from operationId and Url but it should count all and give avg response time as well, like this, is there a way?

operationIdUrlavg_timemax_timecount
accountUsingGEThttps://*/api/account/history/sourceaccount1675.33333491413
LineUsingPOSThttps://*/api/lines/1012/activate122412243

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-13-2021 01:49 PM

I don't think so - if you do stats by operationId, Url you will only get one row for each unique combination of these fields, which is what you said you wanted.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...