This is a follow-on question to http://answers.splunk.com/answers/228254/how-to-search-the-total-number-of-hits-to-urls-tha.html...
I want to try to find out the number of entries in a log file which contain one parameter but do NOT contain another parameter. The parameters could be in any order.
Basically, I want to be able to differentiate between these URL's:
1. /shop/product/<somevalue>?ID=123456&CategoryID=9876 <-- Both ID and CategoryID passed
2. /shop/product/<somevalue>?CategoryID=9876&ID=123456 <-- Both ID and CategoryID passed (different order)
3. /shop/product/<somevalue>?ID=123456
where I know that ID will always be passed, but where CategoryID is optional and may be before or after ID.
I need a count of type 3 (without CategoryID) to compare with a count of types 1 and 2 combined.
I can easily parse out all the entries that match the /shop/product/* path, but can I do a single subsequent rex/regex to check for existence somewhere in the query string of the CategoryID?
I hope this is clear...
Hello! By following the link you gave above, i think you should use this to compare type1, and type2
count(pro_id_TY1) is the count of ID in events where there is no CategoryID, (means the last event in your sample data.)
count(pro_id_TY2) is the count of ID in events where there is a CategoryID (means, the first and the second event in your sample data)
if url is a field in your events, here you go
........|rex field=url "^[^&\n]\?ID=(?P
...|rex field=_raw "^[^&\n]\?ID=(?P
If anny issue, let me know.
Thanks
Stephane