{ "message": {
"correlation": "12345678",
"headers": {},
"protocol": "HTTP/1.1",
"remote": "111.11.11.111",
"requestMethod": "GET",
"requestPath": "/abc/<dynamic_value>/xyz",
"type": "request" } }
Here from "message.requestMethod" and "message.requestPath" I need to find unique combinations and give some name to it. "message.requestPath" can have different endpoints.
Tried something like below which is not working:
searchquery | eval api = case (message.requestMethod = GET AND message.requestPath="/abc/<dynamic_value>/xyz", "GET_VERSION_API", message.requestMethod = POST AND message.requestPath="/abc/<dynamic_value>/xyz", "POST_VERSION_API", 1 = 1, "default") | stats count by api
Like this:
... | rex field=message.requestPath mode=sed "s/^(\/[^\/]+\/)[^\/]+/\1*/"
| eval requestBoth = 'message.requestMethod' . ":" . 'message.requestPath'
| stats count BY requestBoth
Like this:
... | rex field=message.requestPath mode=sed "s/^(\/[^\/]+\/)[^\/]+/\1*/"
| eval requestBoth = 'message.requestMethod' . ":" . 'message.requestPath'
| stats count BY requestBoth
Hi @woodcock , is this sed-expression generic? What if some other requestPath has dynamic value at some other place? e.g. /abc/1111/xyz Vs /aaa/bbb/<dynamic_value>xyz ?
How to. change dynamic value place in this sed-expression?
Thank you woodcock for your reply. Only problem with your approach is I have dynamic values in URL e.g./abc/<dynamic_value>/xyz because of that each URL is getting treated as unique. Can't we put some * or any other regex for dynamic values?
for each below I am getting count as 1, where I this is one service and I need count as 2.
Current Behavior -
/abc/1111/xyz - count 1
/abc/2222/xyz -count 1
Expected Behavior -
/abc/*/xyz - count 2
Answer updated.