Splunk Search

Match several sub-urls, regexp

atanasmitev
Path Finder

I have a set of URLs in a log like so:

url1:"POST /stuff/test/"
url2: "GET /stuff/test-type?"
url:3"POST /stuff/test-settings/"

I need to evaluate hit count per url type.

The search at the moment can check only one url like so :
source=mysource type=INFO "POST url1" Type=INFO | bucket _time span=24h | stats dc(Remote_IP) as uniqIP, count(Remote_IP) as All_IP, count as total by _time | eval avg_perhour=(total/24) | eval avg_perminute=(avg_perhour/60) | table _time, total, avg_perhour, avg_perminute, uniqIP, All_IP

How do I regexp all three url types in a single search to get per_url hit count ?

Tags (2)
0 Karma

atanasmitev
Path Finder

Thanks , for the response.I 'll look it up, and if needed, try a workaround.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Getting all three regexes is just a matter of making a regex that can repeat-match. You want a regex that will match url:"POST the_url" and not a byte more, and then you want to use the repeating features to pull it out repeatedly, eg |rex … max_match=3, or in props.conf with a REPORTS this happens by default with eg REGEX=(url\d):"POST ([^"]+)" and FORMAT=$1::$2

The part about calculating on all of them at once is kind of over my head.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...