Splunk Search

How do i get the url without params

mikeyty07
Communicator

I am trying to make a report based on the url, and avg response that certain url is taking. I am able to get the logs but wanted specifically without the params so i can have how many response time certain url is making. Below is the sample eg:
I can see the data like this but it creates multiple data
https://abc-google.com/ABC/abc/1234/abc

like this and i want only data from one url 

https://abc-google.com/ABC/abc/1342/abc

which could remove the params and show something like this

https://abc-google.com/ABC/abc/{num}/abc

there are many url like this 

https://abc-google.com/CDE/abc/cde/abc/cde/111

Is it possible to get all the data without params and have average response time on it?

Tags (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

@mikeyty07 naming the fields as url, Id, resp_time. Can you try following query?

<your_dbquery_goes_here> 
| stats values(url) as urls, avg(resp_time) as avg_time, max(resp_time) as max_time ,count by Id

---

An upvote would be appreciated and Accept solution if it helps!

View solution in original post

venkatasri
SplunkTrust
SplunkTrust

@mikeyty07 That might work can  you post samples of ID's how they looks like?

0 Karma

mikeyty07
Communicator
0 Karma

venkatasri
SplunkTrust
SplunkTrust

@mikeyty07  regex might not work can you post exact event samples, you can mask critical info when you post it. more the samples its better!

0 Karma

mikeyty07
Communicator

i am actually searching dbquery so it wont show raw events but shows only stats 

https://abc.com/abc/api/cachepostApiCache13
https://abc.com/abc-tracktrack549
https://abc.com/bbc/api/apicapostCache15
https://abc.com/til/api/apiApiPOST14
https://abc.com:443/efghefgs382
0 Karma

venkatasri
SplunkTrust
SplunkTrust

@mikeyty07 naming the fields as url, Id, resp_time. Can you try following query?

<your_dbquery_goes_here> 
| stats values(url) as urls, avg(resp_time) as avg_time, max(resp_time) as max_time ,count by Id

---

An upvote would be appreciated and Accept solution if it helps!

mikeyty07
Communicator

Thank you!! this works perfectly

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @mikeyty07 

Unless you have all list of all url's and what's the dynamic portion/params of eacjh url it's really hard achieving your  requirement. if you have that list  | rex mode=sed  is the way to replace dynamic portion to something like {param} and apply stats on top of it to gather avg etc..

---

An upvote would be appreciated if it helps!

Tags (1)
0 Karma

mikeyty07
Communicator

how about if there is ID name(which is one unique name), instead of the url(because it contains other params as well for the same url) and based on the ID it display the avg time for other IDs as well with url displaying only params in it for other unique IDs  as well?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...