I have a below lookup table. I want to match API_URL in my splunk query. The Actual results which i am getting from my query is -
Actual Result
API_URL
api/Company/Google/Product/PixlePhone1
api/Company/Google/Product/PixlePhone2
If i use below lookup table query then i am getting 4 records instead of 2. Because both the queries are matching with WILDCHARD(*) character. I don't know how to use regex in lookup. Is something better option i can try out?
Lookup
ModuleName, API_URL, Description
Producer, api/Company/*, Company Details
Producer, api/Company/*/Product/* , Product Details
Using below Splunk query to get the result -
index=ctos* "Properties.applicationname"="MES Web API"
| dedup Properties.Http_RequestId
| lookup ctos_screen_usage_api_lookup API_URL OUTPUT ModuleName,Description
| table ModuleName,Description, API_URL
| stats count(API_URL) as "UsageCount" by Description
Expected Result -
Description UsageCount
Product Details 2
Your help will be greatly appreciated. Thanks in advance !!
... View more