Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Match several sub-urls, regexp

atanasmitev
Path Finder
‎10-12-2014 08:54 AM

I have a set of URLs in a log like so:

url1:"POST /stuff/test/"
url2: "GET /stuff/test-type?"
url:3"POST /stuff/test-settings/"

I need to evaluate hit count per url type.

The search at the moment can check only one url like so :
source=mysource type=INFO "POST url1" Type=INFO | bucket _time span=24h | stats dc(Remote_IP) as uniqIP, count(Remote_IP) as All_IP, count as total by _time | eval avg_perhour=(total/24) | eval avg_perminute=(avg_perhour/60) | table _time, total, avg_perhour, avg_perminute, uniqIP, All_IP

How do I regexp all three url types in a single search to get per_url hit count ?

Tags (2)
0 Karma
Reply

atanasmitev
Path Finder
‎10-13-2014 03:22 AM

Thanks , for the response.I 'll look it up, and if needed, try a workaround.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎10-12-2014 04:38 PM

Getting all three regexes is just a matter of making a regex that can repeat-match. You want a regex that will match url:"POST the_url" and not a byte more, and then you want to use the repeating features to pull it out repeatedly, eg |rex … max_match=3, or in props.conf with a REPORTS this happens by default with eg REGEX=(url\d):"POST ([^"]+)" and FORMAT=$1::$2

The part about calculating on all of them at once is kind of over my head.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...