Hi,
The traffic in our application is routed according to a URI prefix, for example: uri_path=/foo/*
or uri_path=/bar/*
. How can I produce a pie chart that simply shows the percentage of traffic that went to each uri_path
?
I have a similar situation and found MuS's proposed solution to point me in the right direction. I was getting multi-valued fields for my uri_prefix and discovered that max_match=0
seemed to be causing that. So, changing max_match=1
(the default) got me what I was looking for.
base_search | rex field=uri_path max_match=1 "(?<uri_prefix>/[^/]+)" | stats count by uri_prefix
Hi johntopley,
try something like this:
... | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | ...
cheers, MuS
sure it will not group anything, because there is no stats nor any other command which will do that. So if you take the updated search and add a stats to it will that match your needs?
your base search uri_path=/foo/* OR uri_path=/bar/* | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | stats count by uri_prefix
I can only try to help and try to lead you, but I cannot write a complete search because I don't have your data....
It doesn't group the requests into those that start with /foo/*
and those that start with /bar/*
.
how about this:
your base search uri_path=/foo/* OR uri_path=/bar/* | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | dedup uri_prefix | ...
Thanks, but it gives 100s of different values for uri_prefix instead of the two I want.
No, still the same.
Try the updated search '| rex field=uri_path "^/(?
Thanks, but it still gives 100s of different values for uri_prefix instead of the two I want.
It seems slashes were removed in the comment field. try this.
your base search| rex field=uri_path "^/(?
I get > 100 different values for the uri_prefix field. Lots of different URLs that start with /foo or /bar.
With the search "your base search| rex field=uri_path "^(?
I don't think that does what I need. I'm expecting two figures: one for all uri_paths that start with /foo and another for all uri_paths that start with /bar.
Then (based on your example, your just need first part of uri, '/foo' and '/bar'), try this.
your base search| rex field=uri_path "^(?
Thanks, but uri_path contains numerous values. I need the grouping by uri_path prefix.
If this field is extracted try this.
your base search | stats count by uri_path
or
your base search | chart count by uri_path
and use pie chart as visualisation.