Splunk Search

How to replace the similar uri_paths in a Splunk search to calculate the response time for each endpoint?

greeshmak
Explorer

Example:

application="example" index=web uri_path="/some/example/*"

In my application, I have similar uri_paths. I want to replace uri_path and calculate the response time for each endpoint.

Uri_paths: I have 4 different uri_paths, each one of uri_path has different number on the end, that number are nothing but a uniqu generated number for each request.

/com/google/example/request/123456788000


/com/google/example/request/98760456098
  /com/google/example/request/4521346098
/com/google/example/request/6983256709
/com/google/example/request/45321670987
/com/google/example/request/9834708641

 /com/google/example/request/bulk/12345678090
/com/google/example/request/bulk/6521340976
/com/google/example/request/bulk/5679084124
/com/google/example/request/bulk/428429720
/com/google/example/request/bulk/7267311890
/com/google/example/request/bulk/254102157

 /com/google/example/request/different/12345668900
/com/google/example/request/different/6358097421
/com/google/example/request/different/0789043267
/com/google/example/request/different/67562463129
/com/google/example/request/different/0737912913243


 /com/google/example/request/12345677/12345770
/com/google/example/request/126938710/2397100701
/com/google/example/request/625197012804/77064261381
/com/google/example/request/26912783-12/07129512
/com/google/example/request/6877207401/09737861

So i would like to consider the each end point into one uri_path and want to caliculate the response time of that uri_path. In this way, i ll get to know, how long each endpoint is taking to complete the process.

How to replace above similar uri_path into separate uri_path to calculate the response time of each endpoint?

I have replaced some uri_paths using replace command, for above request it is not working.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Sorry but I'm struggling to understand what you are trying to do.
If you just want to get rid of the random number at the end of the uri_path so that you can then group by endpoint, then the following should work. If you please provide some information on the desired output.

| rex field=uri_path "(?<endpoint>.+?)/[\d/]+$"

Example:

alt text

Regards,
J

0 Karma

sundareshr
Legend

Instead of replace, try rex. Here is an example. I'm unsure where you're getting the {ID} from...

    rex mode=sed field=uri_path "s/(com\/google\/example\/request\/).*/\1{ID}/g"
0 Karma

sundareshr
Legend

This will give you the last two segments of uri_path
*UPDATED*

... | rex field=uri_path "(?<endpoint>.+?)/[\d/]+$" | stats earliest(_time) as start latest(_time) as end by endpoint | eval duration=tostring(round(end-start, 0), "duration")
0 Karma

sundareshr
Legend

@greeshmak try my updated answer. If that does work, please share desired output and an example of what you call "endpoint"

0 Karma

sundareshr
Legend

Can you give an example of how the replaced value might look?

0 Karma

greeshmak
Explorer

I'm replacing the uri_path by using the replace command.

Ex:

application="example" index="web" uri_path="/some/example/*"| replace "/com/google/example/request/*" WITH "/com/google/example/request/{ID}" in uri_path|replace "/com/google/example/request/bulk/*" with "/com/google/example/request/bulk/{Id}" in uri_path| replace "/com/google/example/request/different/*" with "/com/google/example/request/different/{Id}" in uri_path| replace " /com/google/example/request/*/*" with " /com/google/example/request/{Id1}/{Id2}"

Results are only showing the "/com/google/example/request/*" end point since I'm using the * after request.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...