Solved: Splunk Other category when group by

msrama5 · ‎01-13-2020

Hi, I have saved search below Queryone and want to classify anything not falling under regx pattern for APIFamily in "URI "(?[/\w.]+/v\d+)/" " to classify as other category in search query 2, how can this be done in query 2 ?

Saved Search Queryone -
search environment=test
index=iis* NOT "GET / - 80" NOT "GET / - 443" NOT "/ping*" NOT "swagger"
|eval URI=lower(cs_uri_stem)
|rex field=URI "(?[/\w.]+/v\d+)/"
|regex APIFamily != "/content/v\d"
|regex APIFamily != "/appsettings/v\d"
|regex APIFamily != "/passbook/v\d"
| rex field=URI mode=sed "s/[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}/USER_ID/g"
| rex field=URI mode=sed "s/\/[0-9]+\/xid$/\/XID\/xid/g"
| rex field=URI mode=sed "s/{.*}/USER_ID/g"
| rex field=URI mode=sed "s/\/$//g"

richgalloway · ‎01-14-2020

It's not necessary (and generally discouraged) to post the same question 4 times.

Try this Query 2. It populates empty APIFamily fields with "OTHER".

| savedsearch FirstQuery
| search *
| fillnull value="OTHER" APIFamily
| stats count as total, count(eval(sc_status>304)) as errors, count(eval(sc_status<304)) as pass by APIFamily

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-14-2020

It's not necessary (and generally discouraged) to post the same question 4 times.

Try this Query 2. It populates empty APIFamily fields with "OTHER".

| savedsearch FirstQuery
| search *
| fillnull value="OTHER" APIFamily
| stats count as total, count(eval(sc_status>304)) as errors, count(eval(sc_status<304)) as pass by APIFamily

---
If this reply helps you, Karma would be appreciated.

msrama5 · ‎01-14-2020

that works, thanks

msrama5 · ‎01-13-2020

Reposting simplified query below, since no answers yet, I have saved search below FirstQuery and want to classify anything not falling under regx pattern for APIFamily in "URI "(?APIFamily[/\w.]+/v\d+)/" " to classify as other category in search query 2, how can this be done in query 2 ?

FirstQuery -
search environment=test
index=iis* NOT "GET / - 80" NOT "GET / - 443" NOT "/ping*" NOT "swagger"
|eval URI=lower(cs_uri_stem)
|rex field=URI "(?APIFamily[/\w.]+/v\d+)/"

Search Query 2 on FirstQuery
| savedsearch FirstQuery
| search *
| stats count as total, count(eval(sc_status>304)) as errors, count(eval(sc_status<304)) as pass by APIFamily

msrama5 · ‎01-13-2020

To make it simpler I have simplified the 2 queries

Saved Search Queryone -
search environment=test
index=iis* NOT "GET / - 80" NOT "GET / - 443" NOT "/ping*" NOT "swagger"
|eval URI=lower(cs_uri_stem)
|rex field=URI "(?[/\w.]+/v\d+)/"
| rex field=URI mode=sed "s/[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}/USER_ID/g"

Search Query 2 on QueryOne
| savedsearch QueryOne
| search *
| stats count as total, count(eval(sc_status>304)) as errors, count(eval(sc_status<304)) as pass by APIFamily

Splunk Other category when group by

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor