aggregate url calls , ignoring number in the route

codebased · ‎08-29-2018

HI Guys,

I have a url like this:

I want to group into two rows

How can I aggregate?

It is a url field.

I tried with

rex field=url
"https://localhost/Client/V2/clients/(\d+)/*"
| table url

but it did not work.

nawazns5038 · ‎08-30-2018

Please try the following,

| eval new=case(like(_raw,"%/acc/basic"),"basic",like(_raw,"%/acc/view"),"view") | stats count by new

Results

new count
basic   4
view    3

nawazns5038 · ‎08-30-2018

Works as well

| eval new=case(match(_raw,".*?basic"),"basic",match(_raw,".*?view"),"view") | stats count by new

Results

new count
basic   4
view    3

horsefez · ‎08-29-2018

Hi @codebased,

I'm not really sure what the problem is, as you are not going to achieve a count with your regex command.

Let me suggest a possible solution:

yoursearch | rex mode=sed field=url "s/^([^\/]+\/\/[^\/]+\/[^\/]+\/[^\/]+\/[^\/]+\/)\d+(\/.+)/\1*\2/g"| stats count by url

It might look a bit cryptic, but it should work for your sample data.
Tell me if it helps!