Splunk Search
Highlighted

How to edit the eval statement in my search to group URLs?

Explorer

I have hundreds of URLs in my logs like below:

'GET /service/product/details '
'POST /service/product/eligibile '
'POST /service/tour/details '

I want to group these as per feature. Right now, my search is something like this:

eval FEATURE_NAME=case(url=="'POST /service/product/eligibile '" OR url=="'GET /service/product/details '", "PRODUCT_SERVICE", url=="'POST /service/tour/details '", "TOUR_SERVICE" | table FEATURE_NAME

When I have like 30 URLs from one service, the search becomes huge. Can someone please help if we can do some matching like get all "*/product/*" collected in "PRODUCT_SERVICE"?

0 Karma
Highlighted

Re: How to edit the eval statement in my search to group URLs?

Super Champion

you could probably do an eval

|eval PRODUCT_SERVICE=match(url,"\/product\/")
|eval TOUR_SERVICE=match(url,"\/tour\/")
|eval FEATURE_NAME=case(isnotnull(PRODUCT_SERVICE),"PRODUCT_SERVICE",isnotnull(TOUR_SERVICE),"TOUR_SERVICE")

a case might work

|eval FEATURE_NAME=case(match(url,"\/product\/"),PRODUCT_SERVICE,match(url,"\/tour\/"),TOUR_SERVICE)

View solution in original post

Highlighted

Re: How to edit the eval statement in my search to group URLs?

Legend

Why not use makemv & mvindex instead. Like this

| makemv url delim="/" 
| eval url1=upper(mvindex(url, 2)."_".mvindex(url, 1)) 
| table url url1

Here is a run-anywhere sample with your data

| makeresults 
| eval url="POST /service/product/eligibile;GET /service/product/details;POST /service/tour/details" 
| makemv url delim=";" 
| mvexpand url 
| makemv url delim="/" 
| eval url1=upper(mvindex(url, 2)."_".mvindex(url, 1)) 
| table url url1
0 Karma