Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I capture unique API list my application is using through Splunk?

vijaydudipala88
New Member
‎05-11-2017 10:36 AM

I have paths like this:

https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/
https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/service-data/op...
https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/service-data/uc...

I tried:

index=abc sourcetype="audit" "|https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/*/|"

The wildcard * is capturing above three as single API, I need them as three separate ones. All help is appreciated.

Tags (2)
0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎05-11-2017 10:47 PM 
index=abc sourcetype="audit" | rex field=_raw "/service-list/(?<api>[^/]+)/" | stats count by api

The rex command will run a regular expression over the strings, grab the portion that follows /service-list/ and stores it in the field 'api'. The stats count command counts the frequency of each unique api, giving you the usage.

0 Karma
Reply

vijaydudipala88
New Member
‎05-12-2017 09:00 AM

The portion that follows "/service-list/" is unique id and is followed by "/service-data/oper-status/" ..........so I need count like this:
1. https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/service-data/op... ---1000
2. https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/service-data/uc... ----970
3. https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/ -----500

The 3rd APIs count should not include counts of 1st and 2nd though the path looks like superset of 1 and 2

0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎05-12-2017 08:46 PM

So what you actually want to capture is everything up until the pipe | symbol. In this case, this is the regular expression
index=abc sourcetype="audit" | rex field=_raw "/service-list/(?[^|]+)|" | stats count by api

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎05-11-2017 06:27 PM

You have these paths inside events?

Also, you have pipe characters inside your search - from that I assume you trimmed the events you are displaying here? Could you instead paste the full event - just pick one, obfuscating if necessary but please try to keep the structure the same?

0 Karma
Reply

vijaydudipala88
New Member
‎05-12-2017 07:49 AM

2017-05-12T14:44:40:995+00:00|2017-05-12T14:44:40:999+00:00|xaxaxabb-eb88-4b9a-xxxx-83xxxx38a6|v2.0/sites/site/mccfl/ports/port/xaxaxabb-eb88-4b9a-xsss-83xxdd38a6|1967149302-19938||https://100.100.100.100:8080/rest/config/L3UCPE-API:services/service-list/{uniqueId}/|admin|COMPLETE...

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...