Splunk Search

How to do the addition of content loaded from a Page

Shashank_87
Explorer

Hi, I have a requirement where I have a page say https://www.abc.com/mobile and this page loads various assets like css, js, images etc.
In my access logs I get everything like size of the pages and assets.

Say my referer is "https://www.abc.com/mobile/monthly" and this page loads 10 assets (js, css, images etc). How do i sum the size of those assets + size of the page itself and put it in a tabular format with 2 columns - Page and total size. I was doing something like below but it's not what I want

index=temp sourcetype=access_combined_wcookie referer="https://www.abc.com/mobile/monthly" OR requested_content="/mobile/monthly"
| stats values(size) as size count by requested_content

Let me know if someone can help. It will be appreciated.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The best way to get a comprehensive solution is to give us an example of the data. Just make one or more tables that show each type of event and what some fake example data might look like. Since you want to deal with multiple referers, you probably should include two different examples for that.

what are the relevant fields when the event has referer="https://www.abc.com/mobile/monthly ", and what are the relevant fields when it has requested_content="/mobile/monthly"? How does a human know that those two types of records get linked?

0 Karma

niketnilay
Legend

@Shashank_87, have you tried the following?

<yourCurrentSearch>
| stats sum(size) as "Total Size" by referer
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Shashank_87
Explorer

@niketnilay Thanks for the quick response. Yes i did. And 90%, it gives me the result. I have 2 queries now -

  1. This command gives me 2 rows because the page itself would have a referer which will be added to the row. I just want one row with the sum of (size of assets + size of page). Hope you get what i am saying. Like if i go to this page https://www.abc.com/mobile/monthly from a browser using google then referer for this page would be logged as "https://google.com"
  2. And I have multiple referers say 40. Do i have to manually put OR is there a faster way?

Let me know if you can help please

0 Karma

niketnilay
Legend

@Shashank_87, what do you mean by 2 row and 1 row? As per the stats command creates row using the split by field which in my code is referer. If you need one row your by clause should have that field instead.
Is the field requested_content is the page that you are referring to in your question? Which field represents asset? Can you add some sample data and more details for the community to assist you better?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...