Solved: Re: How to get unique patterns

xvxt006 · ‎05-24-2013

Hi, we would like to get unique query string patterns so that we can cache them at Akamai. i have written a query
rex field=uri "\?(?.*)" | dedup command | table command

Below is the output. You can see 1,2,4,5 etc are same pattern. So how do i get just the unique patterns.

1 perPage=48&requestedPage=97
2 perPage=48&requestedPage=95
3 sst=subset
4 perPage=48&requestedPage=96
5 perPage=48&requestedPage=1
6 bc=y
7 redirect=socket+set
8 searchQuery=2LDR7&fromCatalog=true
9 ta=t
10 searchQuery=2LDR8&fromCatalog=true
11 searchQuery=cable+lug
12 searchQuery=stainless+pallet

kristian_kolb · ‎05-24-2013

Hmm yes..I guess..maybe

your base search | dedup uri | rex field=uri mode=sed "s/=[^&]+/=XXX/g" | dedup uri | eval uri = substr(uri,2) | table uri

Haven't tested it, but it should replace all parameter values in the URL with 'XXX'. Yes there are 2 dedups. The first one is for reducing the number of uri's to be processed by rex. You might skip it if the uri's are almost always different.

This search does not take the order of the parameters into account, so

A=xxx&B=xxx
B=xxx&A=xxx

would be considered different.

Should hopefully work...

/K

View solution in original post

emccaslin · ‎05-29-2014

Even better, use the 'cluster' command!

rex field=uri "?(?.*)" | cluster field=command | table command

With cluster you will get 2 fields, cluster_label (which is just the grouping number) and cluster_count (you many need to specify showcount=true, but this gives you the number of events in that grouping.

xvxt006 · ‎05-29-2014

Thank you. This view is also useful

kristian_kolb · ‎05-24-2013

Hmm yes..I guess..maybe

your base search | dedup uri | rex field=uri mode=sed "s/=[^&]+/=XXX/g" | dedup uri | eval uri = substr(uri,2) | table uri

Haven't tested it, but it should replace all parameter values in the URL with 'XXX'. Yes there are 2 dedups. The first one is for reducing the number of uri's to be processed by rex. You might skip it if the uri's are almost always different.

This search does not take the order of the parameters into account, so

A=xxx&B=xxx
B=xxx&A=xxx

would be considered different.

Should hopefully work...

/K

xvxt006 · ‎05-29-2014

Thank you. So it will just remove the first character only?
so if i have uri as testuri?query=something, it will be esturi?query=something

xvxt006 · ‎05-29-2014

Even without eval uri = substr(uri,2) i am still getting the same results

xvxt006 · ‎05-29-2014

Hi K, one question - why do you have eval uri = substr(uri,2)?

kristian_kolb · ‎11-10-2013

This was some time ago, so I don't really remember 🙂

The effect is to remove the first character of the uri. If not needed - skip that step.

/k

xvxt006 · ‎11-10-2013

Hi Kristian why do you have substr(uri,2)?

xvxt006 · ‎05-24-2013

i define pattern as having different parameters (not worried about neither the order of the parameters as long as they are same parameters nor the values of them). So that is why i said 1,2,4,5 are one pattern (same parameters but different values. Even if same values also i am fine). number 3 is another pattern, number 6 and 7 are different patterns. 8 and 10 are same pattern, 11 and 12 are same pattern etc.

Ayn · ‎05-24-2013

How do you define "pattern"? Name and order of parameters?

How to get unique patterns

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...