Solved: Re-Categorizing a URL

jaywilwk · ‎12-16-2013

This search shows the amount of traffic that goes across our network in GB. I want to be able to manually force googlevideo.com traffic to be categorized as social networking since our palo alto is categorizing as Audio/Video clips.

index=*** sourcetype=*** | stats sum(src_bytes) as GB by url category | eval GB=round(GB/1024/1024/1024,2) | sort -GB

aholzer · ‎12-16-2013

You can use an eval statement that sets the category to "social networking" for anything that contains "googlevideo.com" in the url field, but if it doesn't contain "googlevideo.com" to leave the same category. Like so:

index=* sourcetype=* | eval category = if(like(url,"%googlevideo.com%"), "social networking", category) | stats sum(src_bytes) as GB by url category | eval GB=round(GB/1024/1024/1024,2) | sort -GB

Hope this helps

View solution in original post

aholzer · ‎12-16-2013

You can use an eval statement that sets the category to "social networking" for anything that contains "googlevideo.com" in the url field, but if it doesn't contain "googlevideo.com" to leave the same category. Like so:

index=* sourcetype=* | eval category = if(like(url,"%googlevideo.com%"), "social networking", category) | stats sum(src_bytes) as GB by url category | eval GB=round(GB/1024/1024/1024,2) | sort -GB

Hope this helps

Re-Categorizing a URL

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability