facing issues when querying with cs_uri_stem

subhadipc · ‎02-13-2012

I see a different web page mentioned in the body of indexed log and another mentioned in its cs_uri_stem. For example, if I search with host="trlpws003" AND "CustomReport.aspx", I get a list of matching records. Now, when I search with host="trlpws003" AND cs_uri_stem ="*CustomReport.aspx" I do not find those rows.

I need to find the response times of "CustomReport.aspx", but since cs_uri_stem ="CustomReport.aspx" is not working, I am not able to retrieve the same.

Please help.

dmaislin_splunk · ‎02-14-2012

Paste some sample logs with that sample of data including he CustumReport.aspx entry.

Ayn · ‎02-14-2012

It sounds like the extraction of cs_uri_stem is faulty. This is what you need to fix. I can't give you more help than that without more detailed information on the logs you're processing and how you have configured Splunk to handle these logs.

subhadipc · ‎02-14-2012

Hi Ayn,

When I use "CustomReport.aspx" as a free text query for searching purposes, I get rows, but their cs_uri_stem values are not "CustomReport.aspx". I get other aspx page names in the cs_uri_stem values for the extracted rows of the above query. This is vexing me, as I think that the rows returned from query with page names in free text should have their cs_uri_stem values reflecting the same.

Please help.

Ayn · ‎02-13-2012

Well what is the value for cs_uri_stem in the events that are returned when you just search for "CustomReport.aspx" in free text?

facing issues when querying with cs_uri_stem

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2