Splunk Search
Highlighted

How to merge and make one result out of multiple results

Explorer

HI,

I have a result which displays common starting URI. but I have to combine it to one and have the result, how can I do it ?

Result -

/credit/company/23532525 . 10
/credit/company/34532523 . 30
/credit/product/23235225 . 40

I need something like

/credit/ 80

0 Karma
Highlighted

Re: How to merge and make one result out of multiple results

Champion

Updated to remove the limitation of just Credit events.

index=cap host=prod
| rex field=URI "^(?<firstsegment>/[^/]+)/"
| stats count BY firstsegment
0 Karma
Highlighted

Re: How to merge and make one result out of multiple results

Explorer

Thank you for the reply.

So after I did the below search

index=cap host=prod SERVICE="Credit" | eval product=case( URI="/credit/" ,"Credit", 1==1,URI ) | stats count as total by product

I got

/credit/company/23532525 . 10
/credit/company/34532523 . 30
/credit/product/23235225 . 40

I need that to be

/credit/ . 80

0 Karma
Highlighted

Re: How to merge and make one result out of multiple results

Champion

Edited to take that into consideration.

0 Karma
Highlighted

Re: How to merge and make one result out of multiple results

Explorer

Thanks for the reply, this works!

How can I add multiple URI's like credit, trans, bank.... ?

where I am looking forward an output like below,

/credit/ . 80
/transaction/ . 100
/Bank/ . 50

0 Karma
Highlighted

Re: How to merge and make one result out of multiple results

Champion

I think you just need to not filter for just the Credit events. I've updated my answer to reflect this.

0 Karma
Highlighted

Re: How to merge and make one result out of multiple results

Explorer

With the updated search it's not showing any result.

0 Karma
Highlighted

Re: How to merge and make one result out of multiple results

Legend

[UPDATED]
Modified mock query based on updated details.


@raviteja029, can you post some sample URIs from your raw events with credit transaction and bank? Do they actually start like the example in your question i.e. /credit/... or is there something prefixing i.e..../credit/...? While posting the code and sample data make sure you use the code button (101010) so that special characters like asterisk (*) do not escape.

Following is a run anywhere search based on the sample data in the question. Pipes from makeresults till mvexpand mimic the sample data.

The eval command uses replace() function to retain only the first part of URI and then stats count by URI gives the required result you are looking for.

| makeresults
| eval URI="https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/34532523;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/product/23235225;https://api-sandbox..com/credit/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/34532523;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/product/23235225;https://api-sandbox..com/transaction/company/23532525;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/34532523;https://api-sandbox..com/bank/product/23235225;https://api-sandbox..com/bank/company/23532525"
 | makemv URI delim=";" 
 | mvexpand URI
 | eval URI=replace(URI,"^(.*).com\/([^\/]+)?+\/(.*)","\2")
 | stats count by URI

PS: You can try the following command in your case (if it does not work post actual URI values as per your events as requested):

 index=cap host=prod SERVICE="Credit" 
| eval URI=replace(URI,"^(.*).com\/([^\/]+)?+\/(.*)","\2")
| stats count by URI



| eval message="Happy Splunking!!!"


View solution in original post

0 Karma
Highlighted

Re: How to merge and make one result out of multiple results

Explorer

@aniketnilay Thank you for your response.

My actual query should go search the 3 URI's in the entire set of results which are
Credit, Bank, Transactions in the URI and the URI's of each something looks like below,

Bank - https://api-sandbox.****.com/bank/deposits/account-applications
- https://api-sandbox.****.com/bank/deposits/details
- https://api-sandbox.****.com/bank/application/

Credit - https://api-sandbox.****.com/credit/products?li/34141
- https://api-sandbox.****.com/credit/business/43414

here I want to get details where how many calls were made for each API for credit/Bank/Transactions and compare in once single graph

0 Karma
Highlighted

Re: How to merge and make one result out of multiple results

Legend

@raviteja029, can you try the updated answer?




| eval message="Happy Splunking!!!"


0 Karma