Splunk Search

How to write a regular expression to extract and count the number of calls per URL from Apache web access logs?

Contributor

Hi,

I am trying to analyse the Apache web access logs for the below textpayload:

IP -- [Date +0000] "POST /PATH/URI/ HTTP/1.1" 200 1.599 0 "https://URL/to/PAGES.html" "Mozilla/5.0 (

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0" "IP, IP" Correlation-ID="10 Digit number"

Basically, I want to get a number of calls per URL. Here calls are "https://URL/to/PAGES.html" and URL is /PATH/URI/ HTTP/1.1 , Any help is highly appreciated.

thanks

0 Karma

Splunk Employee
Splunk Employee

Below is an example to get you going....

| makeresults count=2 
| streamstats count 
| eval _raw = CASE ( count=1,"IP -- [Date +0000] \"POST /PATH/URI/ HTTP/1.1\" 200 1.599 0 \"https://URL/to/PAGES.html\" \"Mozilla/5.0 ( Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0\" \"IP, IP\" Correlation-ID=\"10 Digit number\"", count=2,"IP -- [Date +0000] \"POST /PATH/URI/ HTTP/1.1\" 200 1.599 0 \"https://URL/to/PAGES2.html\" \"Mozilla/5.0 (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0\" \"IP, IP\" Correlation-ID=\"10 Digit number\"") 
| rex field=_raw "[^\"]*\"[^\"]*\"[^\"]*\"(?<url>[^\"]*)" 
| stats count by url

You might also want to consider looking at Splunk Add-on for Apache Web Server which contains pre-canned fields extractions for apache logs

0 Karma