Splunk Search

How to merge and make one result out of multiple results

raviteja029
Explorer

HI,

I have a result which displays common starting URI. but I have to combine it to one and have the result, how can I do it ?

Result -

/credit/company/23532525 . 10
/credit/company/34532523 . 30
/credit/product/23235225 . 40

I need something like

/credit/ 80

0 Karma
1 Solution

niketn
Legend

[UPDATED]
Modified mock query based on updated details.


@raviteja029, can you post some sample URIs from your raw events with credit transaction and bank? Do they actually start like the example in your question i.e. /credit/... or is there something prefixing i.e..../credit/...? While posting the code and sample data make sure you use the code button (101010) so that special characters like asterisk (*) do not escape.

Following is a run anywhere search based on the sample data in the question. Pipes from makeresults till mvexpand mimic the sample data.

The eval command uses replace() function to retain only the first part of URI and then stats count by URI gives the required result you are looking for.

| makeresults
| eval URI="https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525"
 | makemv URI delim=";" 
 | mvexpand URI
 | eval URI=replace(URI,"^(.*).com\/([^\/]+)?+\/(.*)","\2")
 | stats count by URI

PS: You can try the following command in your case (if it does not work post actual URI values as per your events as requested):

 index=cap host=prod SERVICE="Credit" 
| eval URI=replace(URI,"^(.*).com\/([^\/]+)?+\/(.*)","\2")
| stats count by URI
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

[UPDATED]
Modified mock query based on updated details.


@raviteja029, can you post some sample URIs from your raw events with credit transaction and bank? Do they actually start like the example in your question i.e. /credit/... or is there something prefixing i.e..../credit/...? While posting the code and sample data make sure you use the code button (101010) so that special characters like asterisk (*) do not escape.

Following is a run anywhere search based on the sample data in the question. Pipes from makeresults till mvexpand mimic the sample data.

The eval command uses replace() function to retain only the first part of URI and then stats count by URI gives the required result you are looking for.

| makeresults
| eval URI="https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525"
 | makemv URI delim=";" 
 | mvexpand URI
 | eval URI=replace(URI,"^(.*).com\/([^\/]+)?+\/(.*)","\2")
 | stats count by URI

PS: You can try the following command in your case (if it does not work post actual URI values as per your events as requested):

 index=cap host=prod SERVICE="Credit" 
| eval URI=replace(URI,"^(.*).com\/([^\/]+)?+\/(.*)","\2")
| stats count by URI
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

raviteja029
Explorer

@niketnilay thank you for the response.

I was able to get the answer by using the below search, your answers helped me get there.

index=cap host=prod |
eval product=case(URI like "/credit/%","Credit",
URI like "/credit/%","Transactions",1==1, "Others")|
stats count by product

raviteja029
Explorer

@aniketnilay Thank you for your response.

My actual query should go search the 3 URI's in the entire set of results which are
Credit, Bank, Transactions in the URI and the URI's of each something looks like below,

Bank - https://api-sandbox.****.com/bank/deposits/account-applications
- https://api-sandbox.****.com/bank/deposits/details
- https://api-sandbox.****.com/bank/application/

Credit - https://api-sandbox.****.com/credit/products?li/34141
- https://api-sandbox.****.com/credit/business/43414

here I want to get details where how many calls were made for each API for credit/Bank/Transactions and compare in once single graph

0 Karma

niketn
Legend

@raviteja029, can you try the updated answer?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

micahkemp
Champion

Updated to remove the limitation of just Credit events.

index=cap host=prod
| rex field=URI "^(?<firstsegment>/[^/]+)/"
| stats count BY firstsegment
0 Karma

raviteja029
Explorer

Thanks for the reply, this works!

How can I add multiple URI's like credit, trans, bank.... ?

where I am looking forward an output like below,

/credit/ . 80
/transaction/ . 100
/Bank/ . 50

0 Karma

micahkemp
Champion

I think you just need to not filter for just the Credit events. I've updated my answer to reflect this.

0 Karma

raviteja029
Explorer

With the updated search it's not showing any result.

0 Karma

raviteja029
Explorer

Thank you for the reply.

So after I did the below search

index=cap host=prod SERVICE="Credit" | eval product=case( URI="/credit/" ,"Credit", 1==1,URI ) | stats count as total by product

I got

/credit/company/23532525 . 10
/credit/company/34532523 . 30
/credit/product/23235225 . 40

I need that to be

/credit/ . 80

0 Karma

micahkemp
Champion

Edited to take that into consideration.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...