How to write a search to find the count of paramet...

lstruman · ‎11-23-2015

Hi,

We were asked to analyze the parameter usage. It is a POST with JSON body. The target is a set of 30 parameters. Each parameter is optional for that http POST. The final query will be like this: for each parameter, tell me the count of parameters in the post over that period of time. We want to know which parameters interest the customers most. What is the best design, in terms of Splunk performance? I have several ideas about how the log file should be formatted. The basic format is one line for each http request.

print body={"k1":"v1","k2":"v2",..} in the log, and count body="*k1*", body="*k2" ...
appending to my online log for each http post request to be like k1=v1 k2=v2...., and count k1, k2. This sounds easier, but the log line could be very long if many parameters are posted.
design a pattern bitmap where bit1 maps to k1, bit2 maps to k2, ... etc. so my log file will be like pattern=234. I will use eval to perform arithmetic operation against the pattern value to get my desired bit.

Thanks for any comments.

harelmenashe77 · ‎01-27-2016

Didn't quite understand your question and mostly the bitmap part.
Maybe this helps - if you index those JSONs as events, and then have your events with parameters k1,k2,k3... you can use this easy stats/timechart trick:
... | stats count (k*) as k*
and the timechart one -
... | timechart count (k*) as k*

you will get a count for each field starting with K, overall or over time.

How to write a search to find the count of parameters in a POST over a period of time?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life