Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you group by substring of URI?

vas123
Explorer
‎04-01-2019 02:59 PM

I have raw data like below:

/?AID=10654946&PID= 40
/test_main.jsp       232
/topic1.jsp?redirectPage=/main/word/undefined 50
/topic1.jsp?redirectPage=/site.webmaster 200

I would like have the url up until "?" and some URI does not have "?"

I would like to see as below

URI Count
/ 40
/topic_request.jsp 250
/test_main.jsp 232

Can some one give me an idea how I can achieve this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

spavin
Path Finder
‎04-01-2019 03:17 PM

Hi @vas123,

You can do this via the rex command:

| makeresults count=4 
| streamstats count as id 
| eval url=case(id=1,"/", id=2,"/?AID=10654946&PID= 40", id=3,"/topic1.jsp?redirectPage=/main/word/undefined 50",id=4,"/topic1.jsp?redirectPage=/site.webmaster 200")
| rex field=url "^(?<page>[^?]+)(?<querystring>\?[^\s]+)?\s(?<count>[0-9]+)$"
| stats sum(count) as "Total Count" by page

The first few lines are just to setup the test data - you'd only need the last two lines.

If you are interested in the querystring, it's captured too.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-01-2019 09:03 PM

I would use the URL toolbox app for this:

https://splunkbase.splunk.com/app/2734/

0 Karma
Reply
Solved! Jump to solution
Solution

spavin
Path Finder
‎04-01-2019 03:17 PM

Hi @vas123,

You can do this via the rex command:

| makeresults count=4 
| streamstats count as id 
| eval url=case(id=1,"/", id=2,"/?AID=10654946&PID= 40", id=3,"/topic1.jsp?redirectPage=/main/word/undefined 50",id=4,"/topic1.jsp?redirectPage=/site.webmaster 200")
| rex field=url "^(?<page>[^?]+)(?<querystring>\?[^\s]+)?\s(?<count>[0-9]+)$"
| stats sum(count) as "Total Count" by page

The first few lines are just to setup the test data - you'd only need the last two lines.

If you are interested in the querystring, it's captured too.

Reply
Solved! Jump to solution

vas123
Explorer
‎04-02-2019 09:44 AM

Thank you. It worked

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...