I don't have a ton of experience with Splunk yet but I've been asked to find API endpoints (which appear to be in our raw data) and see how often their being used.
| 2022-07-08 05:59:06 184.108.40.206 POST /api/transact/credit/sale 5051 - 571.232.505.62 okhttp/3.18.9
| 2022-07-08 05:02:01 220.127.116.11 POST /api/transact/device 6062 - 641.141.323.82 okhttp/2.15.3
What I want to end up with is the api and a count:
Is this possible?
@mcscjlf - Try this:
| rex "\s+(?<ip>\d+\.\d+\.\d+\.\d+\s+)(?<http_method>\w+)\s+(?<endpoint>\S+)" | stats count by endpoint
* I've extracted general fields here - IP, http_method, and endpoint with regex.
I hope this helps!!!