To join or not to join that is the question

approachct · ‎08-01-2011

I am trying to get the total number of web server pages that match a given F5 load balancer iRule condition. Specifically, I have
One source that contains the irules with a field called VERB (i.e. F5 starts_with OR contains) and the URI (i.e. /mydirectory1/ OR /mydirectory2/mypage.aspx, etc.)

I want to take the values in the URI with a starts_with verb and 'join' them together with the web servers log field cs_uri_stem. The issue I think that I am running into is that the starts_with verb would really mean the search should be cs_uri_stem = VERB with an * wildcard at the end.

Help!!!!

Brian_Osburn · ‎08-01-2011

This sounds like a job for a lookup (which I learned about only not too long ago myself)!

Instead of having the F5 Irules in an index, can you make it a .csv? Stick it under your $SPLUNK_HOME/etc/system/lookups if you can.

This way, you can do something like this:

source=web_logs [|inputlookup f5irule.csv | search VERB=starts_with | rename URI as cs_uri_stem] | stats count(cs_uri_stem) by cs_uri_stem

This will load up the csv, search for your starts with, returns URI as cs_uri_stem.. and then searches your web logs for that cs_uri_stem and does the counting you need.

This is just off the top of my head, I haven't got a way to test it.

Brian

Brian_Osburn · ‎08-01-2011

I don't think it's a join, it's more of a loop - you're specifying "source=web_logs" (or whatever your web log source is). the "[|inputlookup ..." section is a subsearch that returns a cs_uri_stem in which to search your web logs for..

approachct · ‎08-01-2011

OK, I will try this, but how will I join it to the web server logs? Don't I need another query there

To join or not to join that is the question

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor