How do I extract part of a URI and store this stri...

belesni · ‎04-16-2015

Hi!

I need to extract part of a uri and store this string in a field to run statistics on it.
http://www.something.com/i_need_this_part/etc-etc-etc

For example:
htp://ww.something.com/first/etc-etc-etc
htp://ww.something.com/second/etc-etc-etc
htp://ww.something.com/first/etc-etc-etc

name      count
first       2
second      1

I don't know if it's possible, but if it is, then please let me know how I can extract this part of the uri and run statistics on it! Thank you

Ps: I intentionally made error in the links because i dont have enough karma to post links

jspears · ‎02-08-2016

If you have your sourcetype as access_combined_wcookie or access_common, Splunk automatically extracts that URI segment as a field called "root".

MuS · ‎04-16-2015

Hi belesni,

based on your provided events you can try something like this:

your base search here | rex "\/(?<myURI>\w+)\/" | stats count by myURI

If this is what you're looking for, setup the regex as automatic field extraction - read more about this in the docs http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX

Hope this helps ...

cheers, MuS

How do I extract part of a URI and store this string as a new field so I can run statistics on it?