help with distinct counting in same field

hak1 · ‎09-20-2012

Hi,

I have a question for sifting through some ssl logs.

Let's say you have something like this:
"GET /subdomain/subsubdomain/page.js HTTP/1.1"

"GET /subdomain/subsubdomain2/page.js HTTP/1.1"

"GET /subdomain/subsubdomain3/page.js HTTP/1.1"

"GET /subdomain/subsubdomain4/page.js HTTP/1.1"

Since these aren't particularly in any distinct field, How can i gather the following data.

I'm trying to find out how many times each page occured during a given time period. I was able to do something like this

"GET /subdomain/subsubdomain" OR "GET /subdomain/subsubdomain2" OR "GET /subdomain/subsubdomain3" OR "GET /subdomain/subsubdomain4"

but that gives me the total count for all of them combined when I'm trying to get the count for each page.
Any help is greatly appreciated.

chimell · ‎03-09-2016

Hi
try like this

........ | stats count(_time)  by  _raw

kamaleshwar · ‎03-08-2016

Anyone got the solution for this? If so please share it.

bmacias84 · ‎09-21-2012

I would use rex or regex to create a new field for the last segment. Below is a sample but I have not tested the regex statement.

... | rex field=uri (?<page>/[\w\d\s\.]+/[\w\d\s\.]+$)| stats count(page) by page

kamaleshwar · ‎03-08-2016

It will be difficult if we get the dynamic results.

melting · ‎09-20-2012

I think you could gain from field extractions:

But if your events are really like that then you could just do a stats on raw:

... | stats count by _raw

kamaleshwar · ‎03-08-2016

It will be difficult if we get the dynamic results.

Are you a member of the Splunk Community?