Solved: Re: How to calculate Raw data for API endpoints an...

mcscjlf · ‎07-08-2022

I don't have a ton of experience with Splunk yet but I've been asked to find API endpoints (which appear to be in our raw data) and see how often their being used.

Example Events:

| 2022-07-08 05:59:06 21.30.2.80 POST /api/transact/credit/sale 5051 - 571.232.505.62 okhttp/3.18.9

| 2022-07-08 05:02:01 22.35.3.79 POST /api/transact/device 6062 - 641.141.323.82 okhttp/2.15.3

What I want to end up with is the api and a count:

/api/transact/credit/sale 3,475

/api/transact/device 275

Is this possible?

Thank you!!

ITWhisperer · ‎07-08-2022

Assuming your apis are preceded by POST, try this

| rex "POST (?<api>\S+)"
| stats count by api

View solution in original post

mcscjlf · ‎07-11-2022

This worked perfectly, thank you!!

VatsalJagani · ‎07-09-2022

@mcscjlf - Try this:

| rex "\s+(?<ip>\d+\.\d+\.\d+\.\d+\s+)(?<http_method>\w+)\s+(?<endpoint>\S+)"
| stats count by endpoint

* I've extracted general fields here - IP, http_method, and endpoint with regex.

I hope this helps!!!

ITWhisperer · ‎07-08-2022

Assuming your apis are preceded by POST, try this

| rex "POST (?<api>\S+)"
| stats count by api

How to calculate Raw data for API endpoints and count?

field extraction

rex

stats

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?