Parsing and grouping with

ajitsd · ‎11-16-2011

I am trying to find an hourly count of the content in Apache access log.

10.113.76.13 - - [16/Nov/2011:17:13:59 -0800] 0 "POST /ApacheApp/default/GetCustomers/1.0 HTTP/1.1" 200 2360
10.113.76.13 - - [16/Nov/2011:17:13:51 -0800] 0 "POST /ApacheApp/default/GetLicenseInfo/1.0 HTTP/1.1" 500 1141
    10.113.76.13 - - [16/Nov/2011:17:14:59 -0800] 0 "POST /ApacheApp/default/GetCustomers/1.0 HTTP/1.1" 200 2360

I want to count frequency of each POST operation string in the following format:

    Hour                                 Service                         Count
1/15/11 5:00:00.000             /default/GetCustomers/1.0                   2
1/15/11 5:00:00.000             /default/GetLicenseInfo/1.0                 1

I tried using timechart option, but I am unsure of how to group these by the pattern in addition to the hour. Does anyone have any ideas?

Takajian · ‎11-16-2011

Is the following command for your requirement? If you want to change time span, please use span option of timechart command. 1h means 1hours. 30m means 30 minutes. Hope this help.

sourcetype="YourSourcetype" | timechart span=1h count by Service

Takajian · ‎11-16-2011

You need to extract "Service" field from raw string. Regarding how to extact the field, you can see following. Hope this help
:-)

http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample

ajitsd · ‎11-16-2011

I had done the same query you have mentioned. My main question was about how to extract the "Service" from the raw string?