I am producing some stats in splunk but I want to extract data for about 10 uri_method instead of 100s currently displayed in the table. The last line is where I am getting stuck. I want to be able t...
See more...
I am producing some stats in splunk but I want to extract data for about 10 uri_method instead of 100s currently displayed in the table. The last line is where I am getting stuck. I want to be able to search uri_method for multiple values with wildcard.
i.e. the following should be returned
www.example.com/v2/customers/* (HEAD)
example.co.uk/v1/orders/* (HEAD)
www.example.com/xy/customers/* (GET)
www.abc.com/v3/customers (GET)
www.GetOrder.com/v2/orders/* (GET)
www.ListOrders.com/v2/orders (GET)
www.ListAddresses.com/xy/customers/*/addresses (GET)
BUT NOT:
www.example.com/xy/customers/*/details (GET)
www.GetOrder.com/v2/orders/*/shipping/* (GET)
www.GetOrder.com/v2/orders/*/returns/* (GET)
If I remove the where clause(last line), I get 100s of results. I want to list only some items(uri_method) that end with "customers/* (HEAD)", "orders/* (HEAD)", "customers/* (GET)", "customers (GET)", "orders (GET)","orders/* (GET)", "addresses (GET)" etc.
If I use Where clause with field name "IN", the wildcard * is not considered. If I use LIKE, I'm not sure how to add multiple values to where clause. Please help.
index=main env=test ("*Method=GET*" OR "*Method=HEAD*") "StatusCode=200" | rex field=log "ResponseTime=(?<ResponseTime>\d+)" | rex field=log "StatusCode=(?<StatusCode>\d+)" | rex field=log "\"?Method\"?\=(?<Method>[^,]*)" | rex field=log "Uri=(?<uri>[^\,?]+)" | rex field=uri "uri=(?<uri>[?].*)" | eval uri = urldecode(uri) | eval uri = replace(uri, "/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}","/*") | eval uri = replace(uri, "(\/[0-9]+)", "/*") | eval uri_method = uri + " (" + Method + ")" | stats perc95(ResponseTime) as response, count as request_rate by uri_method, StatusCode | eval score = toNumber(response) * toNumber(request_rate) | sort -score | table uri_method,StatusCode,response,request_rate ,score | where uri_method IN ("*customers/* (HEAD)","*orders/* (HEAD)", "*users/* (HEAD)", "*customers/* (GET)", "*customers (GET)", "*orders (GET)","*orders/* (GET)", "*addresses (GET)")