Splunk Search

help with distinct counting in same field

hak1
New Member

Hi,

I have a question for sifting through some ssl logs.

Let's say you have something like this:
"GET /subdomain/subsubdomain/page.js HTTP/1.1"

"GET /subdomain/subsubdomain2/page.js HTTP/1.1"

"GET /subdomain/subsubdomain3/page.js HTTP/1.1"

"GET /subdomain/subsubdomain4/page.js HTTP/1.1"

Since these aren't particularly in any distinct field, How can i gather the following data.

I'm trying to find out how many times each page occured during a given time period. I was able to do something like this

"GET /subdomain/subsubdomain" OR "GET /subdomain/subsubdomain2" OR "GET /subdomain/subsubdomain3" OR "GET /subdomain/subsubdomain4"

but that gives me the total count for all of them combined when I'm trying to get the count for each page.
Any help is greatly appreciated.

Tags (1)
0 Karma

chimell
Motivator

Hi
try like this

........ | stats count(_time)  by  _raw
0 Karma

kamaleshwar
Explorer

Anyone got the solution for this? If so please share it.

0 Karma

bmacias84
Champion

I would use rex or regex to create a new field for the last segment. Below is a sample but I have not tested the regex statement.

... | rex field=uri (?<page>/[\w\d\s\.]+/[\w\d\s\.]+$)| stats count(page) by page

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/rex

0 Karma

kamaleshwar
Explorer

It will be difficult if we get the dynamic results.

0 Karma

melting
Splunk Employee
Splunk Employee

I think you could gain from field extractions:

  1. You could do search time field extraction like "rex"
  2. Or you could have the ui help with Interactive Field Extractor

But if your events are really like that then you could just do a stats on raw:

... | stats count by _raw
0 Karma

kamaleshwar
Explorer

It will be difficult if we get the dynamic results.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...