index=* youtube user | table _time, user, host, src, dest, bytes_in, bytes_out, url
This is my simple query. I would like to get result for some specific words from the observed youtube URL in results.
eg:
The above is the "result as per my query. How to do a specific word search in the URL? Like "movies", "keanu reeves" "trailer"
Just want to know, what kind of youtube URL the user has accessed.
You can utilize the match function of where clause to search for specific keywords
index=* youtube user | table _time, user, host, src, dest, bytes_in, bytes_out, url | where match(url,"keenu") OR match(url,"movie") OR...
OR use the regular Splunk search filter like this
index=* youtube user (url=*keenu* OR url=*movie* OR...) | table _time, user, host, src, dest, bytes_in, bytes_out, url
If you want to know what the URLs contain you could also extract what the descriptions say using regex. Something like:
index=* youtube user | rex field=_raw "&description1=(?<desc1>.*),&" | table _time, user, host, src, dest, bytes_in, bytes_out, url, desc1
Well, May i know how to use this regex query? As it as or i need to replace any words in the description part.
rex field=_raw "&description1=(?.*),&"
Thanks!!!
However, i am getting the same result as before. But the 'desc1' column came blank in the result.
You can utilize the match function of where clause to search for specific keywords
index=* youtube user | table _time, user, host, src, dest, bytes_in, bytes_out, url | where match(url,"keenu") OR match(url,"movie") OR...
OR use the regular Splunk search filter like this
index=* youtube user (url=*keenu* OR url=*movie* OR...) | table _time, user, host, src, dest, bytes_in, bytes_out, url
Thanks a lot..
It works, addition to this query. May i get the answer for bytes_in & bytes_out in MB??