Splunk Search

Match several sub-urls, regexp

atanasmitev
Path Finder

I have a set of URLs in a log like so:

url1:"POST /stuff/test/"
url2: "GET /stuff/test-type?"
url:3"POST /stuff/test-settings/"

I need to evaluate hit count per url type.

The search at the moment can check only one url like so :
source=mysource type=INFO "POST url1" Type=INFO | bucket _time span=24h | stats dc(Remote_IP) as uniqIP, count(Remote_IP) as All_IP, count as total by _time | eval avg_perhour=(total/24) | eval avg_perminute=(avg_perhour/60) | table _time, total, avg_perhour, avg_perminute, uniqIP, All_IP

How do I regexp all three url types in a single search to get per_url hit count ?

Tags (2)
0 Karma

atanasmitev
Path Finder

Thanks , for the response.I 'll look it up, and if needed, try a workaround.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Getting all three regexes is just a matter of making a regex that can repeat-match. You want a regex that will match url:"POST the_url" and not a byte more, and then you want to use the repeating features to pull it out repeatedly, eg |rex … max_match=3, or in props.conf with a REPORTS this happens by default with eg REGEX=(url\d):"POST ([^"]+)" and FORMAT=$1::$2

The part about calculating on all of them at once is kind of over my head.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...