splunksplunk-querysplunk-formulasplunk-calculationsplunk-dashboard

How to count text that are replaced by rex commands as one in Splunk

I have a Splunk Query to fetch top 5 API based on error percent. Below is the query for it

index=myaccount sourcetype=myaccountweb-master Response status=* url=* |  
 chart count over url by status | addtotals 
 | foreach * [ 
 | eval <<FIELD>> = if('<<FIELD>>'==0,"-",'<<FIELD>>') 
 | eval p_<<MATCHSTR>> = 
 if(isnull(tonumber('<<FIELD>>')),'<<FIELD>>',round(('<<FIELD>>'/Total)*100,2)) 
| eval p_<<MATCHSTR>> = if('p_<<MATCHSTR>>'<1, "< 1",'p_<<MATCHSTR>>') 
| eval <<FIELD>> = if("<<FIELD>>"=="Total",'<<FIELD>>', case('<<FIELD>>'=="-","- 
",tonumber('<<FIELD>>')>1,'<<FIELD>>'." (".p_<<MATCHSTR>>."%)",1=1,'<<FIELD>>')) ] 
| fields - p_* | eval url=lower(url) | rex mode=sed field=url 
"s/account\/(\d+)\//account\/me\//" | rex mode=sed field=url 
"s/\d+account.\w+|\d+fm|\d+fs\d+/*/g" | rex mode=sed field=url "s/..:..:..:..:..:../*/" | rex 
mode=sed field=url "s/accounts\?ip=.*/accounts?ip=__/"| rex mode=sed field=url "s/[^\/] 
{30,}/*/g" | rex mode=sed field=url "s/(\d|\.){8,}/*/g"
| rex field="500" "\d+\s\((?<perc>.*)%\)" | sort - perc | where perc>10 | head 5

I have URL's where userID comes in between and to replace those userID with * I have used rex commands and it works replacing the userID as *

But the issue is it counts them separately since userID differs for each hit made on the URL. Because of this my top5 API hits output differs.

Eg URL:/account/user/JHWERTYQMNVSJAIP/email where JHWERTYQMNVSJAIP is userID and its replaced by *

I am getting below output for the query

url                     200 201 204 400 401 500
/account/user/*/email   -   -   -   -   -   5 (100.00%)
/account/user/*/email   -   -   -   -   -   4 (100.00%)
/account/user/*/email   -   -   -   -   -   4 (100.00%)

Whereas all these URLs are actually one and the expected output should be like adding 5+4+4 and displaying once like this

url                     200 201 204 400 401 500
/account/user/*/email   -   -   -   -   -   13 (100.00%)

Since userID differs for each one, it take count separately. Any help on this would be appreciated. Thanks in advance

Solution

  • You have the right idea, but to get the numbers right normalization of the URL must be done before the numbers are calculated by the chart command.