Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parsing and grouping with

ajitsd
Explorer
‎11-16-2011 06:03 PM

I am trying to find an hourly count of the content in Apache access log. 

10.113.76.13 - - [16/Nov/2011:17:13:59 -0800] 0 "POST /ApacheApp/default/GetCustomers/1.0 HTTP/1.1" 200 2360
10.113.76.13 - - [16/Nov/2011:17:13:51 -0800] 0 "POST /ApacheApp/default/GetLicenseInfo/1.0 HTTP/1.1" 500 1141
    10.113.76.13 - - [16/Nov/2011:17:14:59 -0800] 0 "POST /ApacheApp/default/GetCustomers/1.0 HTTP/1.1" 200 2360

I want to count frequency of each POST operation string in the following format:

    Hour                                 Service                         Count
1/15/11 5:00:00.000             /default/GetCustomers/1.0                   2
1/15/11 5:00:00.000             /default/GetLicenseInfo/1.0                 1

I tried using timechart option, but I am unsure of how to group these by the pattern in addition to the hour. Does anyone have any ideas?

Tags (2)
0 Karma
Reply

Takajian
Builder
‎11-16-2011 09:05 PM

Is the following command for your requirement? If you want to change time span, please use span option of timechart command. 1h means 1hours. 30m means 30 minutes. Hope this help.

sourcetype="YourSourcetype" | timechart span=1h count by Service

0 Karma
Reply

Takajian
Builder
‎11-16-2011 11:32 PM

You need to extract "Service" field from raw string. Regarding how to extact the field, you can see following. Hope this help
:-)

http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample

0 Karma
Reply

ajitsd
Explorer
‎11-16-2011 10:06 PM

I had done the same query you have mentioned. My main question was about how to extract the "Service" from the raw string?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...