Solved: Re: Query for Multiple URLs

kvanwagoner · ‎12-06-2019

I'm sure this will be easy for you guys but I"m struggling with it..
I need to modify this query to look for both the http://open/FinalNumbers as well as a URL of https://apicorp.company/open/FinalNumbers

Please help!

jpolvino · ‎12-06-2019

Sounds like you want to OR the URLs:

"A GET was made to Open API - Status: OK (http://open/FinalNumbers" OR "A GET was made to Open API - Status: OK (https://apicorp.company/open/FinalNumbers" | spath AppID | search Environment=prod | timechart count by Environment | bin span=7d _time | stats avg(prod)

Also before the first pipe, you should specify an index and sourcetype at a minimum for efficiency.

View solution in original post

jpolvino · ‎12-06-2019

Sounds like you want to OR the URLs:

"A GET was made to Open API - Status: OK (http://open/FinalNumbers" OR "A GET was made to Open API - Status: OK (https://apicorp.company/open/FinalNumbers" | spath AppID | search Environment=prod | timechart count by Environment | bin span=7d _time | stats avg(prod)

Also before the first pipe, you should specify an index and sourcetype at a minimum for efficiency.

kvanwagoner · ‎12-06-2019

Thanks! That worked!

jpolvino · ‎12-06-2019

Please "accept as answer" the solution that fixes the issue, to help others. Thanks, and glad it worked!

Query for Multiple URLs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation