OK my first question, i'm a relative SPLUNK newbie- I thought I was good at SQL syntax but I'm lost here ;-(
I have a source feed from a bluecoat proxy and I have a simple text (ofinterest.csv) file which we hold a list of urls of interest one per line.
What I need to generate is a table which lists which of the ofinterest urls have been visited and how many times -
One of my problems are that the url in ofinterest.csv will only be something like facebook.com
whereas the url in the bluecoat log will be something like
http://facebook.com/something%20or%20other.asp?login
so an exact match to field names won't work.
Anyway I've been playing around with a search like
sourcetype=OfInt | eval int=url_item | eval src1="Y" | table int scr1 | join type=outer [search sourcetype=BCLogs | dedup cs_host | eval url=cs_host | eval src2 = "Y" | table url src2 ]|stats count url
Pretty basic I know - I cant get the count to work (how many bluecoat entries contain an ofinterest.csv entry) let alone work with part fields
Any help appreciated.
... View more