All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need a querry to triage an api on all possible hosts.

vikram_m
Path Finder
‎09-27-2018 04:59 AM

We have around 10 hosts with similar APIs i.e 20. something like below.

/api/v1/device/host1
/api/v1/device/host2
/api/v1/device/host3
/api/v1/device/host4
/api/v1/device/host5
/api/v1/device/host1/provisioning/
/api/v1/device/host2/provisioning/
/api/v1/device/host3/provisioning/
/api/v1/device/host5/provisioning/
/api/v1/device/host6/provisioning/
/api/v1/device/host7/provisioning/
/api/v1/device/host1/authentication
/api/v1/device/host2/authentication
/api/v1/device/host3/authentication
/api/v1/device/host3/authentication
/api/v1/device/host4/authentication
/api/v1/device/host5/authentication

based on these set of 20 apis and 10 devices I need a querry which can give me stats for the individual apis irrespective of devices something like below.

/api/v1/device//authentication/ 10
/api/v1/device//provisioning/ 20
/api/v1/device/* 12

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-27-2018 05:39 AM

@vikram_m

You can use the regular expression for extracting devices and apis from URL and use stats command to get the desired output.

try this rex command for extracting.

| rex field=_raw "\/api\/v1\/device\/(?<device>[^\/]+)(\/(?<api>[^\/]+))?"

Then after you can use stats command.

like.

For distinct devices : | stats dc(device) as devices
For count by api: | stats count by api

Use this sample search:

|makeresults | eval _raw="
URL
/api/v1/device/host1
/api/v1/device/host2
/api/v1/device/host3
/api/v1/device/host4
/api/v1/device/host5
/api/v1/device/host1/provisioning/
/api/v1/device/host2/provisioning/
/api/v1/device/host3/provisioning/
/api/v1/device/host5/provisioning/
/api/v1/device/host6/provisioning/
/api/v1/device/host7/provisioning/
/api/v1/device/host1/authentication
/api/v1/device/host2/authentication
/api/v1/device/host3/authentication
/api/v1/device/host3/authentication
/api/v1/device/host4/authentication
/api/v1/device/host5/authentication
"| multikv | rex field=_raw "\/api\/v1\/device\/(?[^\/]+)(\/(?[^\/]+))?" | stats dc(device) as devices
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...