Solved: How to search the count of web requests by folder ...

madrum · ‎11-18-2015

I have an enterprise scale MVC website with 4 or 5 major modules/views that runs on a Windows server with full IIS logging enabled. I want to get a count of the requests under each view (e.g. /admin/...) or JavaScript/PlugIn library (e.g. /scripts/plugins/popover/...) that take longer than 2 seconds.

The search I have now is:

cs_host = myawesomesite.com AND time_taken > 2000 | timechart count by cs_uri_stem

This search returns every file requested (e.g. /Scripts/PageScripts/TransactionController.js). This is a problem because there are too many distinct file names to show in one report legend (Splunk groups files that can't be displayed into "Other"). If I can group by view or library, which live in their own folders, I can get the count per section of the site I need.

What I'm looking for is a legend with the following items (and a chart to go with it obviously):

/Admin
/Managment
/Reporting
/Scripts/Plugins/grid-view
/Content/CSS
...

I believe there's a way to parse fields with a regex and store that so it can be used in the group by but, after hours of research and testing, I could not get a search to produce the results I need.

Thanks!

sundareshr · ‎11-18-2015

Try this

cs_host=mysite.com | rex field=cs_uri_stem "(?<path>\/.*\/)" | timechart count by path

View solution in original post

sundareshr · ‎11-18-2015

Try this

cs_host=mysite.com | rex field=cs_uri_stem "(?<path>\/.*\/)" | timechart count by path

madrum · ‎11-18-2015

Perfect! Thanks very much.

How to search the count of web requests by folder specified in URI stem of web server logs?

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!