Hi,
I am using splunk to monitor the performance of a number of long urls and the search strring is like :
| stats max(time_in_sec), perc90(time_in_sec), perc75(time_in_sec), perc50(time_in_sec), avg(time_in_sec), min(time_in_sec), stdev(time_in_sec) by ping_url
It's working fine but the url is too long to fit in the dashboard. I am wondering if there is a way to function to display the short name in the result? Thanks!
e.g. RENAME www.google.com AS Google
I can see a few options;
If you have a large number of URLs you can extract the significant portion with the substr
function.
... | eval shorty = substr(url,40) | the_rest_of_your_search by shorty
If you have a few loooong but fairly static urls you can set up a case
evaluation
...| eval shorty = case(url == "/long/url/number1", "long1", url == "/long/url/number2", long2, url == "really/long/url/number/3", "long3") | the_rest_of_your_search by shorty
See the docs for eval for more info.
If all your URLs start the same way, e.g. /this/is/the/base/directory/in/all/urls/for/the/site/page1.htm, you can make a field extraction that skips the redundant levels (or as Ayn suggests, use replace
).
Hope this helps somewhat,
Kristian
edit: update, spelling
I would really recommend the use of lookup tables here, that way you can always add/modidy/delete any entries there that you may use in your searches. This way you can configure in an eficient way how you want each url to be displayed in order to be readable too.
Here it is some easy to follow info on the subjetc:
http://docs.splunk.com/Documentation/Splunk/5.0/knowledge/Addfieldsfromexternaldatasources
I can see a few options;
If you have a large number of URLs you can extract the significant portion with the substr
function.
... | eval shorty = substr(url,40) | the_rest_of_your_search by shorty
If you have a few loooong but fairly static urls you can set up a case
evaluation
...| eval shorty = case(url == "/long/url/number1", "long1", url == "/long/url/number2", long2, url == "really/long/url/number/3", "long3") | the_rest_of_your_search by shorty
See the docs for eval for more info.
If all your URLs start the same way, e.g. /this/is/the/base/directory/in/all/urls/for/the/site/page1.htm, you can make a field extraction that skips the redundant levels (or as Ayn suggests, use replace
).
Hope this helps somewhat,
Kristian
edit: update, spelling
What does the 40 stand for in substr(url,40)?
see reference
and try googling substr site:docs.splunk.com
You can use the match
function for this. See more info in the docs on eval
functions. http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions
Thanks a lot! This is very helpful!!!
I ma wondering if the CASE function supports regular expression so the search string is cleaner? e.g.
...| eval shorty = case(url == "*number1*", "long1", url == "*number2*", long2, url == "*number3*", "long3") | the_rest_of_your_search by shorty
You probably want replace
(http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Replace 😞
... | replace www.google.com with Google