Re: Group results based on criteria

mcvr · ‎10-25-2017

Hi Peeps,

source="Log.txt" resp_status=503 | chart count by req_url

If I execute the above query I will get the following results

/account/signin.jsp
/account/signin.jsp?FOLDER%3C%3Efolder_id=253437430373429
/account/signin.jsp?FOLDER%3C%3Efolder_id=2534374303734299
/account/track_your_order.jsp
/checkout/shoppingbag.jsp?FOLDER%3C%3Efolder_id=2534374303724558&PRODUCT%3C%3Eprd_id=845524442909193
/checkout/shoppingbag.jsp?FOLDER%3C%3Efolder_id=2534374303724558&PRODUCT%3C%3Eprd_id=845524442909193
/checkout/shoppingbag.jsp?FOLDER%3C%3Efolder_id=2534374303724558&PRODUCT%3C%3Eprd_id=845524443476873
/checkout/shoppingbag.jsp?FOLDER%3C%3Efolder_id=2534374303724558&PRODUCT%3C%3Eprd_id=845524443483800
/checkout/shoppingbag.jsp?FOLDER%3C%3Efolder_id=2534374303724558&PRODUCT%3C%3Eprd_id=845524443483876
/checkout/shoppingbag.jsp?FOLDER%3C%3Efolder_id=2534374303724558&PRODUCT%3C%3Eprd_id=845524443483876
/checkout/shoppingbag.jsp?FOLDER%3C%3Efolder_id=2534374303724558&PRODUCT%3C%3Eprd_id=845524443483876
/checkout/shoppingbag.jsp?FOLDER%3C%3Efolder_id=2534374303724558&PRODUCT%3C%3Eprd_id=845524443483876

I want to group all the shoppingbag.jsp results to one category and their total count so that I will understand that the shoppingbag page for various products were returing 503 in total

elliotproebstel · ‎10-25-2017

A quick regex should do the trick:
| rex field=req_url "(?<url_base>[^\?]+)"

So your full query will be:
source="Log.txt" resp_status=503 | rex field=req_url "(?<url_base>[^\?]+)" | chart count by url_base

Group results based on criteria

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio