Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you group by substring of URI?

vas123
Explorer
‎04-01-2019 02:59 PM

I have raw data like below:

/?AID=10654946&PID= 40
/test_main.jsp       232
/topic1.jsp?redirectPage=/main/word/undefined 50
/topic1.jsp?redirectPage=/site.webmaster 200

I would like have the url up until "?" and some URI does not have "?"

I would like to see as below

URI Count
/ 40
/topic_request.jsp 250
/test_main.jsp 232

Can some one give me an idea how I can achieve this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

spavin
Path Finder
‎04-01-2019 03:17 PM

Hi @vas123,

You can do this via the rex command:

| makeresults count=4 
| streamstats count as id 
| eval url=case(id=1,"/", id=2,"/?AID=10654946&PID= 40", id=3,"/topic1.jsp?redirectPage=/main/word/undefined 50",id=4,"/topic1.jsp?redirectPage=/site.webmaster 200")
| rex field=url "^(?<page>[^?]+)(?<querystring>\?[^\s]+)?\s(?<count>[0-9]+)$"
| stats sum(count) as "Total Count" by page

The first few lines are just to setup the test data - you'd only need the last two lines.

If you are interested in the querystring, it's captured too.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-01-2019 09:03 PM

I would use the URL toolbox app for this:

https://splunkbase.splunk.com/app/2734/

0 Karma
Reply
Solved! Jump to solution
Solution

spavin
Path Finder
‎04-01-2019 03:17 PM

Hi @vas123,

You can do this via the rex command:

| makeresults count=4 
| streamstats count as id 
| eval url=case(id=1,"/", id=2,"/?AID=10654946&PID= 40", id=3,"/topic1.jsp?redirectPage=/main/word/undefined 50",id=4,"/topic1.jsp?redirectPage=/site.webmaster 200")
| rex field=url "^(?<page>[^?]+)(?<querystring>\?[^\s]+)?\s(?<count>[0-9]+)$"
| stats sum(count) as "Total Count" by page

The first few lines are just to setup the test data - you'd only need the last two lines.

If you are interested in the querystring, it's captured too.

Reply
Solved! Jump to solution

vas123
Explorer
‎04-02-2019 09:44 AM

Thank you. It worked

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...