Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to do the addition of content loaded from a Page

Shashank_87
Explorer
‎05-06-2020 08:09 AM

Hi, I have a requirement where I have a page say https://www.abc.com/mobile and this page loads various assets like css, js, images etc.
In my access logs I get everything like size of the pages and assets.

Say my referer is "https://www.abc.com/mobile/monthly" and this page loads 10 assets (js, css, images etc). How do i sum the size of those assets + size of the page itself and put it in a tabular format with 2 columns - Page and total size. I was doing something like below but it's not what I want

index=temp sourcetype=access_combined_wcookie referer="https://www.abc.com/mobile/monthly" OR requested_content="/mobile/monthly"
| stats values(size) as size count by requested_content

Let me know if someone can help. It will be appreciated.

0 Karma
Reply

DalJeanis
Legend
‎05-06-2020 06:59 PM

The best way to get a comprehensive solution is to give us an example of the data. Just make one or more tables that show each type of event and what some fake example data might look like. Since you want to deal with multiple referers, you probably should include two different examples for that.

what are the relevant fields when the event has referer="https://www.abc.com/mobile/monthly ", and what are the relevant fields when it has requested_content="/mobile/monthly"? How does a human know that those two types of records get linked?

0 Karma
Reply

niketn
Legend
‎05-06-2020 08:22 AM

@Shashank_87, have you tried the following?

<yourCurrentSearch>
| stats sum(size) as "Total Size" by referer
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

Shashank_87
Explorer
‎05-06-2020 08:28 AM

@niketnilay Thanks for the quick response. Yes i did. And 90%, it gives me the result. I have 2 queries now -

  1. This command gives me 2 rows because the page itself would have a referer which will be added to the row. I just want one row with the sum of (size of assets + size of page). Hope you get what i am saying. Like if i go to this page https://www.abc.com/mobile/monthly from a browser using google then referer for this page would be logged as "https://google.com"
  2. And I have multiple referers say 40. Do i have to manually put OR is there a faster way?

Let me know if you can help please

0 Karma
Reply

niketn
Legend
‎05-06-2020 09:42 AM

@Shashank_87, what do you mean by 2 row and 1 row? As per the stats command creates row using the split by field which in my code is referer. If you need one row your by clause should have that field instead.
Is the field requested_content is the page that you are referring to in your question? Which field represents asset? Can you add some sample data and more details for the community to assist you better?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...