Splunk Search

How to replace the similar uri_paths in a Splunk search to calculate the response time for each endpoint?

Explorer

Example:

application="example" index=web uri_path="/some/example/*"

In my application, I have similar uripaths. I want to replace uripath and calculate the response time for each endpoint.

Uripaths: I have 4 different uripaths, each one of uri_path has different number on the end, that number are nothing but a uniqu generated number for each request.

/com/google/example/request/123456788000


/com/google/example/request/98760456098
  /com/google/example/request/4521346098
/com/google/example/request/6983256709
/com/google/example/request/45321670987
/com/google/example/request/9834708641

 /com/google/example/request/bulk/12345678090
/com/google/example/request/bulk/6521340976
/com/google/example/request/bulk/5679084124
/com/google/example/request/bulk/428429720
/com/google/example/request/bulk/7267311890
/com/google/example/request/bulk/254102157

 /com/google/example/request/different/12345668900
/com/google/example/request/different/6358097421
/com/google/example/request/different/0789043267
/com/google/example/request/different/67562463129
/com/google/example/request/different/0737912913243


 /com/google/example/request/12345677/12345770
/com/google/example/request/126938710/2397100701
/com/google/example/request/625197012804/77064261381
/com/google/example/request/26912783-12/07129512
/com/google/example/request/6877207401/09737861

So i would like to consider the each end point into one uripath and want to caliculate the response time of that uripath. In this way, i ll get to know, how long each endpoint is taking to complete the process.

How to replace above similar uripath into separate uripath to calculate the response time of each endpoint?

I have replaced some uri_paths using replace command, for above request it is not working.

0 Karma

SplunkTrust
SplunkTrust

Sorry but I'm struggling to understand what you are trying to do.
If you just want to get rid of the random number at the end of the uri_path so that you can then group by endpoint, then the following should work. If you please provide some information on the desired output.

| rex field=uri_path "(?<endpoint>.+?)/[\d/]+$"

Example:

alt text

Regards,
J

0 Karma

Legend

Instead of replace, try rex. Here is an example. I'm unsure where you're getting the {ID} from...

    rex mode=sed field=uri_path "s/(com\/google\/example\/request\/).*/\1{ID}/g"
0 Karma

Legend

This will give you the last two segments of uri_path
*UPDATED*

... | rex field=uri_path "(?<endpoint>.+?)/[\d/]+$" | stats earliest(_time) as start latest(_time) as end by endpoint | eval duration=tostring(round(end-start, 0), "duration")
0 Karma

Legend

@greeshmak try my updated answer. If that does work, please share desired output and an example of what you call "endpoint"

0 Karma

Legend

Can you give an example of how the replaced value might look?

0 Karma

Explorer

I'm replacing the uri_path by using the replace command.

Ex:

application="example" index="web" uri_path="/some/example/*"| replace "/com/google/example/request/*" WITH "/com/google/example/request/{ID}" in uri_path|replace "/com/google/example/request/bulk/*" with "/com/google/example/request/bulk/{Id}" in uri_path| replace "/com/google/example/request/different/*" with "/com/google/example/request/different/{Id}" in uri_path| replace " /com/google/example/request/*/*" with " /com/google/example/request/{Id1}/{Id2}"

Results are only showing the "/com/google/example/request/*" end point since I'm using the * after request.

0 Karma