ri_domain=HTTPS://xxxxxxx.com "*.jsp*" | top limit=10 uri
Under the statistics tab, I get different URIs with count, however, I get jsessionid associated with it which I want to remove.
URI Count
HTTPS://XXXX/A.jsp;jsessionid=0000iy48i-7oVdu8hQYd-jEvD7j:19heb2fp1 4
HTTPS://XXXX/A.jsp;jsessionid=0000U58zotFsxkfo9r0e3Ezm7Y6:19heb2ljm 4
HTTPS://XXXX/B.jsp;jsessionid=0000YnYZmfqe8do_D74u4XCdacW:19hedg444 2
HTTPS://XXXX/B.jsp;jsessionid=0000SrOcfEmPIThFzwfoKFs3J8y:19hedg444 2
I would like to ignore the substring jsession id and the results should look like
URI Count
HTTPS://XXXX/A.jsp 8
HTTPS://XXXX/B.jsp 4
I tried with
uri_domain=HTTPS://xxxxxxx.com "*.jsp*" NOT jsessionid | top limit=10 uri
but it displays 0 results.
Append a regex to your query and remove that bit from the URI. Something like this should do the trick:
| rex field=uri_domain "(?i)(?<shortUri>http[s]?:\/\/.+);jsessionid="
| stats count by shortUri
Right - doing the NOT jsessionid removes all events (rows) where the string "jsessionid" is in it which is not what you want.
There are several ways to fix this, but an easy question first:
Could you repaste the search you were using, only use the little code buttons in the editor to flag it as code? That way special characters won't get eaten.
I think the fix will be easy once we see the search itself, but there's two or three different things that could be happening given your search string and example output and I'd like to solve your actual problem instead of my guess at your problem.
Thanks rich, was bale to figure out with your hint.
Append a regex to your query and remove that bit from the URI. Something like this should do the trick:
| rex field=uri_domain "(?i)(?<shortUri>http[s]?:\/\/.+);jsessionid="
| stats count by shortUri
How to just ignore the ;jsessionid= ? Your code will only find records that DO have it, not the ones that do not have it