Assuming I have an access log file with referer
If I have
111.111.111.111 - - [.......] "GET /cart.do?action=checkout&productId=prod1" "//..../searchresult"
111.111.111.111 - - [.......] "GET /cart.do?action=purchase&productId=prod2" "//..../cart.do?action=checkout&productId=prod1"
If I count productId will I get 2 and prod1 counted twice?
If I count action=checkout, do I get 2?
Can I make my search ignore the referer completely?
Yes it is probably counting. The fastest way might be to rex it.
your_search | rex field=uri "action=(?<count_action>[^&]*)&productId=(?<count_product>\w+)" | stats count by count_action, count_product
A more complicated example would do it automatically in props/transforms.
props.conf
[access_combined]
EXTRACT-action = action=(?<count_action>[^&]*) in uri
EXTRACT-product = productId=(?<count_product>[^&]*) in uri
http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf
Yes it is probably counting. The fastest way might be to rex it.
your_search | rex field=uri "action=(?<count_action>[^&]*)&productId=(?<count_product>\w+)" | stats count by count_action, count_product
A more complicated example would do it automatically in props/transforms.
props.conf
[access_combined]
EXTRACT-action = action=(?<count_action>[^&]*) in uri
EXTRACT-product = productId=(?<count_product>[^&]*) in uri
http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf
Yeah that might backfire because if it find action=purchase in the referer, it would grab it. I'd have to test and see, but I don't think we are setup with that structure.
If I didn't I could imagine this would give false information sourcetype=access_*
|
transaction
clientip
startswith=eval(action="addtocart")
endswith=eval(action="purchase")
Thanks a lot. I think Splunk needs to mention that in the course materials