Splunk Search

Match several sub-urls, regexp

Path Finder

I have a set of URLs in a log like so:

url1:"POST /stuff/test/"
url2: "GET /stuff/test-type?"
url:3"POST /stuff/test-settings/"

I need to evaluate hit count per url type.

The search at the moment can check only one url like so :
source=mysource type=INFO "POST url1" Type=INFO | bucket _time span=24h | stats dc(Remote_IP) as uniqIP, count(Remote_IP) as All_IP, count as total by _time | eval avg_perhour=(total/24) | eval avg_perminute=(avg_perhour/60) | table _time, total, avg_perhour, avg_perminute, uniqIP, All_IP

How do I regexp all three url types in a single search to get per_url hit count ?

Tags (2)
0 Karma

Path Finder

Thanks , for the response.I 'll look it up, and if needed, try a workaround.

0 Karma

Splunk Employee
Splunk Employee

Getting all three regexes is just a matter of making a regex that can repeat-match. You want a regex that will match url:"POST the_url" and not a byte more, and then you want to use the repeating features to pull it out repeatedly, eg |rex … max_match=3, or in props.conf with a REPORTS this happens by default with eg REGEX=(url\d):"POST ([^"]+)" and FORMAT=$1::$2

The part about calculating on all of them at once is kind of over my head.

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...