Match several sub-urls, regexp

atanasmitev · ‎10-12-2014

I have a set of URLs in a log like so:

url1:"POST /stuff/test/"
url2: "GET /stuff/test-type?"
url:3"POST /stuff/test-settings/"

I need to evaluate hit count per url type.

The search at the moment can check only one url like so :
source=mysource type=INFO "POST url1" Type=INFO | bucket _time span=24h | stats dc(Remote_IP) as uniqIP, count(Remote_IP) as All_IP, count as total by _time | eval avg_perhour=(total/24) | eval avg_perminute=(avg_perhour/60) | table _time, total, avg_perhour, avg_perminute, uniqIP, All_IP

How do I regexp all three url types in a single search to get per_url hit count ?

atanasmitev · ‎10-13-2014

Thanks , for the response.I 'll look it up, and if needed, try a workaround.

jrodman · ‎10-12-2014

Getting all three regexes is just a matter of making a regex that can repeat-match. You want a regex that will match url:"POST the_url" and not a byte more, and then you want to use the repeating features to pull it out repeatedly, eg |rex … max_match=3, or in props.conf with a REPORTS this happens by default with eg REGEX=(url\d):"POST ([^"]+)" and FORMAT=$1::$2

The part about calculating on all of them at once is kind of over my head.

Match several sub-urls, regexp

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!