I am trying to get the total number of web server pages that match a given F5 load balancer iRule condition. Specifically, I have
One source that contains the irules with a field called VERB (i.e. F5 starts_with OR contains) and the URI (i.e. /mydirectory1/ OR /mydirectory2/mypage.aspx, etc.)
I want to take the values in the URI with a starts_with verb and 'join' them together with the web servers log field cs_uri_stem. The issue I think that I am running into is that the starts_with verb would really mean the search should be cs_uri_stem = VERB with an * wildcard at the end.
This sounds like a job for a lookup (which I learned about only not too long ago myself)!
Instead of having the F5 Irules in an index, can you make it a .csv? Stick it under your $SPLUNK_HOME/etc/system/lookups if you can.
This way, you can do something like this:
source=web_logs [|inputlookup f5irule.csv | search VERB=starts_with | rename URI as cs_uri_stem] | stats count(cs_uri_stem) by cs_uri_stem
This will load up the csv, search for your starts with, returns URI as cs_uri_stem.. and then searches your web logs for that cs_uri_stem and does the counting you need.
This is just off the top of my head, I haven't got a way to test it.
I don't think it's a join, it's more of a loop - you're specifying "source=web_logs" (or whatever your web log source is). the "[|inputlookup ..." section is a subsearch that returns a cs_uri_stem in which to search your web logs for..