Solved: Re: How to count stats by grouping substring from ...

prakashpnvs · ‎09-18-2019

Here is my search:
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/*

and I have the following logs in my search:
/PL/data/2.0/space/appA/29323820jdd3723.txt
/PL/data/2.0/space/appA/search/373367672djbd
/PL/data/2.0/space/appB/abcdefsfjdf.pdf
/PL/data/2.0/space/appB/get/9668568696
/PL/data/2.0/space/appC/search/9650865686rt
/PL/data/2.0/space/appD/6384387498374.jpg

Now, I want the stats count results like below:
appA 2
appB 2
appC 1
appD 1

Anantha123 · ‎09-18-2019

Try this
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | table App Request | stats count by APP

View solution in original post

Anantha123 · ‎09-18-2019

Try this
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | table App Request | stats count by APP

prakashpnvs · ‎09-18-2019

Executed this in Splunk UI and got the results in Visualization tab
index=app sourcetype=access context=PL uri=/PL/data/2.0/space/* | rex field=uri "/PL/data/2.0/space/(?< APP>[^/]+)/(?< Request>[^\s]+)" | stats count by APP

also sorted it by ..... | sort - count

Thanks much!

How to count stats by grouping substring from an URI

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation