- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our logs will have urls logged in the below manner:
/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&purpose=Billing&pageNumber=1&pageSize=10
These query string params have default values in the API, so they may not all be present in each of the log entries.
https://regex101.com/r/5Ynk4f/1
This is what I've got so far. I need to write in a tabular format:
| includeContacts | showOnlyPrimarySites | purpose | count |
| true | true | billing | 30 |
| false | false | 50 |
Thanks
Arun
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, this will get your URL parameters into their own fields with their respective values.
| makeresults
| eval url="url=/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&pageNumber=1&pageSize=10"
| rex field=url max_match=0 "[\?\&](?<params>[^=]+)=(?<values>[^&]+)"
| eval params=mvzip(params,values)
| mvexpand params
| eval params=split(params,",")
| eval param=mvindex(params,0), {param}=mvindex(params,1)
| fields - param values params
| stats values(*) as * by urlAfter that, what you will end up with is a stats command that groups by an unknown set of fields. That is not possible. The by clause of stats must be a list of field names, not a wildcard.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to render it into a table after parsing?
eval url="url=/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&pageNumber=1&pageSize=10"
|rex field=url max_match=0 "[\?\&](?<params>[^=]+)=(?<values>[^&]+)"| stats count by params
The highlighted part is what I'm trying to figure out.
Thanks
Arun
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, this will get your URL parameters into their own fields with their respective values.
| makeresults
| eval url="url=/v1/customers/1/sites?includeContacts=True&showOnlyPrimarySites=True&pageNumber=1&pageSize=10"
| rex field=url max_match=0 "[\?\&](?<params>[^=]+)=(?<values>[^&]+)"
| eval params=mvzip(params,values)
| mvexpand params
| eval params=split(params,",")
| eval param=mvindex(params,0), {param}=mvindex(params,1)
| fields - param values params
| stats values(*) as * by urlAfter that, what you will end up with is a stats command that groups by an unknown set of fields. That is not possible. The by clause of stats must be a list of field names, not a wildcard.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that's my question - is there a way to split the params and values array so I run stats on them?
Thanks,
Aru
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway, Thanks so much sir.
Arun
