Splunk Search

nawazns5038
Builder

Please try the following,

| eval new=case(like(_raw,"%/acc/basic"),"basic",like(_raw,"%/acc/view"),"view") | stats count by new

Results

new count
basic   4
view    3
0 Karma

nawazns5038
Builder

Works as well

| eval new=case(match(_raw,".*?basic"),"basic",match(_raw,".*?view"),"view") | stats count by new

Results

new count
basic   4
view    3
0 Karma

horsefez
Motivator

Hi @codebased,

I'm not really sure what the problem is, as you are not going to achieve a count with your regex command.

Let me suggest a possible solution:

yoursearch | rex mode=sed field=url "s/^([^\/]+\/\/[^\/]+\/[^\/]+\/[^\/]+\/[^\/]+\/)\d+(\/.+)/\1*\2/g"| stats count by url

https://regex101.com/r/Ts3HpN/1

It might look a bit cryptic, but it should work for your sample data.
Tell me if it helps!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...