I have an enterprise scale MVC website with 4 or 5 major modules/views that runs on a Windows server with full IIS logging enabled. I want to get a count of the requests under each view (e.g. /admin/...) or JavaScript/PlugIn library (e.g. /scripts/plugins/popover/...) that take longer than 2 seconds.

The search I have now is:

cs_host = myawesomesite.com AND time_taken > 2000 | timechart count by cs_uri_stem

This search returns every file requested (e.g. /Scripts/PageScripts/TransactionController.js). This is a problem because there are too many distinct file names to show in one report legend (Splunk groups files that can't be displayed into "Other"). If I can group by view or library, which live in their own folders, I can get the count per section of the site I need.

What I'm looking for is a legend with the following items (and a chart to go with it obviously):

/Admin
/Managment
/Reporting
/Scripts/Plugins/grid-view
/Content/CSS
...

I believe there's a way to parse fields with a regex and store that so it can be used in the group by but, after hours of research and testing, I could not get a search to produce the results I need.

Thanks!