Solved: timechart of traffic v commerce

londondev · ‎08-23-2012

Based on example 4 at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart I'm trying to generate a timechart of site traffic plus commerce traffic (commerce means our URL matches /Commerce/) but commerce traffic isn't returning anything. I assume there's a problem with my use of eval(uri_path=...

This is the query:
sourcetype=access_combined | timechart count(eval(method="GET")) AS GETs, count(eval(uri_path="/Commerce/*")) AS Commerce

Any ideas what I'm doing wrong?

Ayn · ‎08-23-2012

Your comparison in the eval command is not valid. Wildcard are not supported in a comparison using the equals sign, but are instead performed by using the match function. So, something like this should work better:

sourcetype=access_combined | timechart count(eval(method="GET")) AS GETs, count(eval(match(uri_path,"^/Commerce/"))) AS Commerce

View solution in original post

londondev · ‎08-23-2012

thanks Chris. "sourcetype=access_combined | top uri_path" includes '/Commerce/AIM' - looks like Ayn's answer below works though

Ayn · ‎08-23-2012

Your comparison in the eval command is not valid. Wildcard are not supported in a comparison using the equals sign, but are instead performed by using the match function. So, something like this should work better:

sourcetype=access_combined | timechart count(eval(method="GET")) AS GETs, count(eval(match(uri_path,"^/Commerce/"))) AS Commerce

londondev · ‎08-23-2012

thanks Ayn, this seems to work

chris · ‎08-23-2012

Does uri_path contain any values? What does "sourcetype=access_combined | top uri_path" return? If the field extraction/recognition is ok then it should work (maybe "*/Commerce/*" will work) otherwise the fields might have to be extracted first (but you've already done that right?).

timechart of traffic v commerce

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life