Solved: Re: How to count stats by grouping substring from ...

prakashpnvs · ‎09-18-2019

Here is my search:
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/*

and I have the following logs in my search:
/PL/data/2.0/space/appA/29323820jdd3723.txt
/PL/data/2.0/space/appA/search/373367672djbd
/PL/data/2.0/space/appB/abcdefsfjdf.pdf
/PL/data/2.0/space/appB/get/9668568696
/PL/data/2.0/space/appC/search/9650865686rt
/PL/data/2.0/space/appD/6384387498374.jpg

Now, I want the stats count results like below:
appA 2
appB 2
appC 1
appD 1

Anantha123 · ‎09-18-2019

Try this
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | table App Request | stats count by APP

View solution in original post

Anantha123 · ‎09-18-2019

Try this
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | table App Request | stats count by APP

prakashpnvs · ‎09-18-2019

Executed this in Splunk UI and got the results in Visualization tab
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | stats count by APP

also sorted it by ..... | sort - count

Thanks much!

How to count stats by grouping substring from an URI

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023