I have a question for sifting through some ssl logs.
Let's say you have something like this:
"GET /subdomain/subsubdomain/page.js HTTP/1.1"
"GET /subdomain/subsubdomain2/page.js HTTP/1.1"
"GET /subdomain/subsubdomain3/page.js HTTP/1.1"
"GET /subdomain/subsubdomain4/page.js HTTP/1.1"
Since these aren't particularly in any distinct field, How can i gather the following data.
I'm trying to find out how many times each page occured during a given time period. I was able to do something like this
but that gives me the total count for all of them combined when I'm trying to get the count for each page.
Any help is greatly appreciated.
I would use rex or regex to create a new field for the last segment. Below is a sample but I have not tested the regex statement.
... | rex field=uri (?<page>/[\w\d\s\.]+/[\w\d\s\.]+$)| stats count(page) by page