Hi,
Thanks for your response and pointing out about the regex. Yes it got missed out the variable names. I tried to update it in the original question, but I couldn't so reposting the question with the regex query update below.
Question with update:
Hi,
I am looking for some help on the below query. I have list of APIs which has different parameters in the URL. I have extracted the Values from the URL and stored it in a variable using replace command.
Question:
1) How would I be able to combine them and store it in one Regex variable?
2) If I had it stored in one variable, will it be possible to display the count based on the API? like lets say I display the count in a table and have another panel in drilldown that displays when the table is clicked the count.
Splunk Query:
index=abcd appname=xyz
| rex field=message "(GET|POST).(?<api>[^\ ]+)"
| rex field=message "HTTP\/\S+.(?<RespCode>[^\ ]+)"
| search RespCode=50*
| eval api=replace(api, "(/api/abc/v2/user/Id/.*)","/api/abc/v2/user/Id/Unique_Value")
| eval api=replace(api, "(/api/abc/v2/Name/.*)","/api/abc/v2/user/Name/Unique_Value")
| eval api=replace(api, "(/api/abc/v2/user/.*)","/api/abc/v2/user/Unique_Value")
| eval api=replace(api, "(/api/abc/v2/name/.*/info)","/api/abc/v2/name/unique_value/info")
| eval api=replace(api, "(/api/abc/v2/info/.*/name)","/api/abc/v2/info/unique_value/name")
| rex field=message "user.Id.(<ID>?[^\ ]+)"
| stats dc(ID)
Can someone help if there is a scope within splunk queries to solve this? I am still trying to learn. Appreciate any assistance. Thank you.
... View more