I am trying to pull list of different URLs from a splunk query. The data is like below.
Sample data:
1. Need to group data like below as one - /v7/ap/deal/config?groupid
/v7/ap/deal/config?groupId=1234
/v7/ap/deal/config?groupId=4567
/v7/ap/deal/config?groupId=8910
Need to group data like below as one - /v7/ap/deals/*/deals-allowed
/v7/ap/deals/1234567/deals-allowed
/v7/ap/deals/N32343Ds/deals-allowed
/v7/ap/deals/F3e43Ds/deals-allowed
Need to group datalike below as one -- /v1/deal/deals//deal-group/item?startdate
/v1/deal/deals/1234567/deal-group/item?startdate=2020-01-21
/v1/deal/deals/N1234/deal-group/item?startdate=2019-01-21
/v1/deal/deals/E2345/deal-group/item?startdate=2019-10-21
/v1/deal/deals/F2354/deal-group/item?startdate=2019-12-21
Use the "cluster" function. It is extremely useful and will do exactly what you're asking.
Example usage:
index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count
Thanks alot for the information. Is it possible to use cluster command on one field. In my case it is url field alone.
Glad to help. And yes, you can use this with any query, just pipe the results to cluster, and/or table any fields you want to display.
Use the "cluster" function. It is extremely useful and will do exactly what you're asking.
Example usage:
index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count