Actually, 

I have my request path in log as 

• /v1/locations/45BH-JGN

I need to extract "/v1/locations/" from it. Similarly I have endpoint

• /v1/exceptions/ABS/12

I need to extract only "/v1/exceptions/ABS/" 

So I need to ignore the last string which comes after "/" and get the same.

@ITWhisperer 

So when you said you had a field called RequestPath, you meant you don't have a field called RequestPath?

Instead you meant, you have a raw event which you need to extract a field called RequestPath from, and then extract the first part (up to the last /)?

Perhaps you could share some of your actual events and identify which fields have already been extracted?

Hi, 

I do have a field called RequestPath. Here are 3 different event logs.

Properties: { [-]
Host:
MachineName:
RequestId:
RequestPath: /v1/locations/41b2ee1b-145es
StatusCode: 404
}

Properties: { [-]
Host:
MachineName:
RequestId:
RequestPath: /v1/exceptions/ODD/123
StatusCode: 404
}

Properties: { [-]
Host:
MachineName:
RequestId:
RequestPath: /v2/timebuckets/A4GH-A
StatusCode: 404
}

My need is to have a count of how many errors are there for each request path without the ID(which is the last string in the endpoint after '/')

So

• /v1/locations/  - 1 Failure
• /v1/exceptions/ODD/ - 1 Failure
• /v2/timebuckets/ - 1 Failure

Something like this.

Something like

| rex field=RequestPath "^(?<endpoint>.+/)[^/]+$"
| stats count by endpoint

or, more "formal"ly,

| eval RequestPath = split(RequestPath, "/")
| eval endpoint = mvjoin(mvindex(RequestPath, 0, mvcount(RequestPath) - 1), "/")
| stats count by endpoint

Thanks. It looks like your events are partially JSON. Have you extract the RequestPath field already, or do you need some guidance on that? (If it has been done already, it might have a different name "...Properties.RequestPath  for example.