Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit the eval statement in my search to gro...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
deepak312
Explorer
10-19-2016
12:17 PM
I have hundreds of URLs in my logs like below:
'GET /service/product/details '
'POST /service/product/eligibile '
'POST /service/tour/details '
I want to group these as per feature. Right now, my search is something like this:
eval FEATURE_NAME=case(url=="'POST /service/product/eligibile '" OR url=="'GET /service/product/details '", "PRODUCT_SERVICE", url=="'POST /service/tour/details '", "TOUR_SERVICE" | table FEATURE_NAME
When I have like 30 URLs from one service, the search becomes huge. Can someone please help if we can do some matching like get all "*/product/*" collected in "PRODUCT_SERVICE"?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
10-19-2016
12:25 PM
you could probably do an eval
|eval PRODUCT_SERVICE=match(url,"\/product\/")
|eval TOUR_SERVICE=match(url,"\/tour\/")
|eval FEATURE_NAME=case(isnotnull(PRODUCT_SERVICE),"PRODUCT_SERVICE",isnotnull(TOUR_SERVICE),"TOUR_SERVICE")
a case might work
|eval FEATURE_NAME=case(match(url,"\/product\/"),PRODUCT_SERVICE,match(url,"\/tour\/"),TOUR_SERVICE)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-19-2016
12:38 PM
Why not use makemv & mvindex instead. Like this
| makemv url delim="/"
| eval url1=upper(mvindex(url, 2)."_".mvindex(url, 1))
| table url url1
Here is a run-anywhere sample with your data
| makeresults
| eval url="POST /service/product/eligibile;GET /service/product/details;POST /service/tour/details"
| makemv url delim=";"
| mvexpand url
| makemv url delim="/"
| eval url1=upper(mvindex(url, 2)."_".mvindex(url, 1))
| table url url1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
10-19-2016
12:25 PM
you could probably do an eval
|eval PRODUCT_SERVICE=match(url,"\/product\/")
|eval TOUR_SERVICE=match(url,"\/tour\/")
|eval FEATURE_NAME=case(isnotnull(PRODUCT_SERVICE),"PRODUCT_SERVICE",isnotnull(TOUR_SERVICE),"TOUR_SERVICE")
a case might work
|eval FEATURE_NAME=case(match(url,"\/product\/"),PRODUCT_SERVICE,match(url,"\/tour\/"),TOUR_SERVICE)
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
