I have the following search:
sourcetype="placingOrder" Code=504 host="localhost*" | stats count by Path
The output is:
Path count
/api/fetchReport/v2/report1 2
/api/fetchReport/v2/report2 8
/api/fetchReport/v2/report3 3
/api/fetchReport/v2/report4 10
/api/Order/v2/OrdrePlaced 9
/api/Order/v3/OrdreNotPlaced 1
I want the output should be:
Path Module count
fetchReport report1 2
report2 8
report3 3
report4 10
Order OrdrePlaced 9
OrdreNotPlaced 1
@JyotiP
Can you please try this?
sourcetype="placingOrder" Code=504 host="localhost*" | stats count by Path | rex field=Path "\/api\/(?<Path>.*)\/(v2|v3)\/(?<Module>.*)" | streamstats window=2 first(Path) as f_path count as c |
eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count
My Sample Search:
| makeresults | eval _raw=" Path count
/api/fetchReport/v2/report1 2
/api/fetchReport/v2/report2 8
/api/fetchReport/v2/report3 3
/api/fetchReport/v2/report4 10
/api/Order/v2/OrdrePlaced 9
/api/Order/v3/OrdreNotPlaced 1
" | multikv | rex field=Path "\/api\/(?<Path>.*)\/(v2|v3)\/(?<Module>.*)" | streamstats window=2 first(Path) as f_path count as c |
eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count
Hi,
Inspite of stats count by Path, use "|table Path" .
Try below query
sourcetype="placingOrder" Code=504 host="localhost*" |table Path | rex field=Path "/api/(?\w+)/(?\w+)/(?\w+)" | stats count by field1 field3*
@wanip_fossil I guess something wrong with the regex. I am getting an error in the regex.
sourcetype="placingOrder" Code=504 host="localhost*" |table Path | rex field=Path "\/api\/(?\w+)\/(?\w+)\/(?\w+)" | stats count by field1 field3*
Please try now
Getting the below error,
Error in 'rex' command: Encountered the following error while compiling the regex '\/api\/(?\w+)\/(?\w+)\/(?\w+)': Regex: unrecognized character after (? or (?-
@JyotiP
Can you please try this?
sourcetype="placingOrder" Code=504 host="localhost*" | stats count by Path | rex field=Path "\/api\/(?<Path>.*)\/(v2|v3)\/(?<Module>.*)" | streamstats window=2 first(Path) as f_path count as c |
eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count
My Sample Search:
| makeresults | eval _raw=" Path count
/api/fetchReport/v2/report1 2
/api/fetchReport/v2/report2 8
/api/fetchReport/v2/report3 3
/api/fetchReport/v2/report4 10
/api/Order/v2/OrdrePlaced 9
/api/Order/v3/OrdreNotPlaced 1
" | multikv | rex field=Path "\/api\/(?<Path>.*)\/(v2|v3)\/(?<Module>.*)" | streamstats window=2 first(Path) as f_path count as c |
eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count
@kamlesh_vaghela yeah this work. What does this streamstats
do?
🙂
Adds cumulative summary statistics to all search results in a streaming manner. The streamstats command calculates statistics for each event at the time the event is seen.
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Streamstats