Quantcast
Channel: Latest Questions on Splunk Answers
Viewing all articles
Browse latest Browse all 13053

Splunk: Extract runtime search wildcards into key value pairs for analysis

$
0
0

I have a log4j server log with multiple lines formatted similar to the following:

"10.1.1.1" "AUTH-USER" "22/Jul/2013:22:42:42 -0700" "GET /source1/resources/RESOURCE/ENDPOINT/1111/start HTTP/1.1" 200 4 "10.1.1.1" "auth2" "22/Jul/2013:22:43:03 -0700" "PUT /source1/resources/RESOURCE/ENDPOINT HTTP/1.1" 200 4 "10.40.16.254" "auth2" "22/Jul/2013:22:43:03 -0700" "PUT /source1/resources/secure/RESOURCE/v1/ENDPOINT?var1=A&var2=01-01-2013&var4=Allison HTTP/1.1" 200 4

Where RESOURCE is a list of variable strings and ENDPOINT represents list of variable strings.

I would like to count the number of times a distinct pair of RESOURCE:ENDPOINT exists in the log file to know the number of times each web service has been called in a specific timeline.

I know I can perform the following search to return all of the values:

("/RevWebServices/resources/*/* HTTP/1.1" OR "/RevWebServices/resources/secure/*/v*/* HTTP/1.1")

But how do I extract the values in to key value pair that can be counted?


Viewing all articles
Browse latest Browse all 13053

Latest Images

Trending Articles



Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>