- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Get count of rows from a value which is a part of ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Get count of rows from a value which is a part of the message in the log file
Our requirement is to get the count and location of a build that has been downloaded multiple times from one source file(builddwnld). These location of the builds are retrieved from another source file(buildupld).
For exa:
index="buildupld" status=200 | top 200 location | table location
This gives the output as location "abc/content/buildabc".
But in builddwnld source file, there are no field as location, but we get the whole log file row message in which location is just a part of a big string in the log. For exa :
index="builddwnld" "abc/content/buildabc"
This query gives the below output:-
[24/Aug/2014:23:48:41 -0700] 0 "GET /content/downloads/abc/content/buildabc/abc287.pkg HTTP/1.1" 200 50
If we do index="builddwnld" "abc/content/buildabc" | stats count then it gives just the count.
So, basically we need to form one single query in which we need to use the location value(which we get from the first query from buildupld source) as the input parameter to get the count of the number of times it has been downloaded and the location from builddwnld source(Final output should contain 2 columns count and location).
Kindly help us out to resolve this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (slow, using map command)
index="buildupld" status=200 | top 200 location | table location
| map maxsearches=20 search="index=builddwnld \"$location$\"" | eval location=\"$location\" | stats count by location"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the URI path value always has this specific pattern, i.e.
/content/downloads/abc/content/buildabc/abc287.pkg
and the location value always starts with the 3rd folder in the path.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, is there any specific pattern about the uri_path value ( /content/downloads/abc/content/buildabc/abc287.pkg) in builddwnld index data, like its always has "/content/downloads/" before location OR the location value "/abc/content/buildabc" always starts with 3rd folder in the path?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
