How do I group similar URLs into one event?

deeps1984 · ‎09-14-2016

I am doing a search to get the total count of different URIs and their response times. My result has multiple events of similar URLs -

Like /abc/{id1}/xyz;  
/abc/{id2}/xyz
/abc/{id3}/xyz.

Only the {id} in the URL varies, and the rest of the URI portion is same.

How can I group these events as 1 event, and still get the total count of hits to this URI?

This is my search -

index=stuff RelativeURI="/abc/*/xyz"  |stats count as total_call_count, avg(ResponseTime) as avgResponse by RelativeURI

sundareshr · ‎09-14-2016

Try this

index=stuff RelativeURI="/abc/*/xyz" | rex field=RelativeURI "(?<url1>\/\S+\/)\S+\/(?<url2>\S+)" | eval url=url1.url2 | stats count as total_call_count, avg(ResponseTime) as avgResponse by url

somesoni2 · ‎09-14-2016

Try this

index=stuff RelativeURI="/abc/*/xyz" | eval RelativeURI =replace(RelativeURI ,"^(\/[^\/]+\/)([^\/]+)(\/[^\/]+)","\1XXX\3") |stats count as total_call_count, avg(ResponseTime) as avgResponse by RelativeURI

somesoni2 · ‎09-14-2016

On second thought, if you're hardcoding the URL (format at least) in the base search, why not just remove the by clause from stats. That will give you total count and average for all matching URI's. Like this

index=stuff RelativeURI="/abc/*/xyz" |stats count as total_call_count, avg(ResponseTime) as avgResponse | eval RelativeURI="/abc/*/xyz" | table RelativeURI total_call_count avgResponse

How do I group similar URLs into one event?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?