Hello, I am running Splunk 7.1.4 om AMI Linux, splunk web from Windows 10 desktop. I am trying to create a report that provides average time_taken, error count, #unique IPs, and total hits for 24 UR...
See more...
Hello, I am running Splunk 7.1.4 om AMI Linux, splunk web from Windows 10 desktop. I am trying to create a report that provides average time_taken, error count, #unique IPs, and total hits for 24 URI "Groups" For example cs_uri_stem=/Group1* would give cs_uri_stem=/Group1, cs_uri_stem=/Group1/subgroup1, cs_uri_stem=/Group1/subgroup2 etc The following works for one group, that I specifically define in the search ------------------------------------------------------------------------------------------------------------------------------------ index=index host=host sourcetype=iis cs_uri_stem=/Group1* | stats avg(time_taken) as avgtime count(eval(sc_status>=400)) as "Total #errors" dc(x_Forwarded_For) as "Total # Unique ClientIPs" min(cs_uri_stem) as cs_uri_stem count | eval avgtime=round(avgtime,0) | eval cs_uri_stem=rtrim(cs_uri_stem,"*") _____________________________________________________________________________________ This gets me to a table with one row that has the combined data for the group1 URIs The question I have is how can I run this search "looping" through all 24 URI groups and end up with a table showing data for all 24 URI groups.. I have added the Group* names to a lookup file and tried using the lookup in a sub search but I could get that to work. Also tried a number of different approaches without success. I hope I have explained the issue clearly. Any suggestions/comments greatly appreciated.