Hi,
I have data that looks like this
"beta.icontrol.com" 173.3.202.209 "173.3.202.209" - - [01/Aug/2016:15:50:59 -0500] "GET /rest/icontrol/logout/ HTTP/1.1" 200 - 0 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG-SM-N920A Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.91 Mobile Safari/537.36" "-"
"beta.icontrol.com" 75.27.138.54 "75.27.138.54" - - [01/Aug/2016:15:52:12 -0500] "POST /rest/icontrol/sites/1000262/network/instances/14001e5e090204731d.9.0/points/coolSetPoint?value=2056 HTTP/1.1" 202 7 0 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_3 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G34"
I'm attempting to count the number of GETs and POSTs. Something like this (but it doesn't work because I'm brand new to rex)
index=main source="/etc/httpd/logs/-access_log" |rex "GET\s+(?\d+) POST\s+(?\d+)"|chart count by status
Splunk complains about two things having the same name (status). Just not sure how to go about this the right way....
Found it (thanks to another post)
index=main source="/etc/httpd/logs/*-access_log*" |rex "GET\s|POST\s+(?< status >\d+)"|chart count by status
Try this
... | rex "(?<status>GET|POST)" | stats count by status
that last part should read (without the spaces)
rex "GET\s+(?< status >\d+) POST\s+(?< status >\d+)"|chart count by status