Hi,
I have a question for sifting through some ssl logs.
Let's say you have something like this:
"GET /subdomain/subsubdomain/page.js HTTP/1.1"
"GET /subdomain/subsubdomain2/page.js HTTP/1.1"
"GET /subdomain/subsubdomain3/page.js HTTP/1.1"
"GET /subdomain/subsubdomain4/page.js HTTP/1.1"
Since these aren't particularly in any distinct field, How can i gather the following data.
I'm trying to find out how many times each page occured during a given time period. I was able to do something like this
but that gives me the total count for all of them combined when I'm trying to get the count for each page.
Any help is greatly appreciated.
Hi
try like this
........ | stats count(_time) by _raw
Anyone got the solution for this? If so please share it.
I would use rex or regex to create a new field for the last segment. Below is a sample but I have not tested the regex statement.
... | rex field=uri (?<page>/[\w\d\s\.]+/[\w\d\s\.]+$)| stats count(page) by page
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/rex
It will be difficult if we get the dynamic results.
I think you could gain from field extractions:
But if your events are really like that then you could just do a stats on raw:
... | stats count by _raw
It will be difficult if we get the dynamic results.