I have a bunch of uris to extract and categorize. And after that i need to timechart it by category.
so say the log has
/urlxyz/123/
/urlxyz/345/
/urlabc/123/
/urlabc/345/
I need to extract the uris starting with urlxyz as category1 and urlabc as category 2 and timechart them as column/stacked. On the chart the categories should be the information displayed when a mouseover happens on any of the stacks.
right now my search is like this.
index=xyz sourcetype=xyz GET |rex ="GET|POST\s+(?P
any help is appreciated. thank you.
Okay, I see one problem with this search: you define a field named "url" in the rex command, but you use it as "URL" in the timechart command. Field names are case-sensitive.
Assuming that your regular expression is correct in the rex command:
index=xyz sourcetype=xyz GET |rex ="GET|POSTs+(?P<url>[^ ]+?)s+HTTP"|timechart span=10m count by url useother=false usenull=false
should work. Note that I also changed count(URL)
to just count
You do not need to count(url) if all events have the url field.