I'm using Splunk Enterprise. I have a search that looks like:
index=foo sourcetype=yapache_access host=bar | fields url,duration | rex field=url mode=sed "s/[a-zA-Z0-9._]{20,}/_HASH/g" | rex field=url mode=sed "s/ysp_user_agent=[^&]+//g" | rex field=url mode=sed "s/oauth[a-z_]+=[a-zA-Z0-9_]+//g" | rex field=url mode=sed "s/(\d\d\d\d-\d\d-\d\d)/YYYY-MM-DD/g" | rex field=url mode=sed "s/([.\/=;,])(\d+)/\1_ID/g" | stats count, avg(duration) as servertime by url | where count>100 | sort 100 -servertime
This search groups urls by replacing embedded id's and dates, etc with constants so that I can look at requests that have at least 100 uses, and then sort them by their mean servertime to find slow requests.
I would like to share out this flattening of the url to other users on the team in a convenient to use way. So, two questions:
1) is defining a new calculated field via the UI: "*Fields » Calculated fields » Add new*" the way to go?
2) if so, how to do I do it? I haven't found an example that shows me how to fill out that form when a chain of rex's is what defines my new field.
Apologies if this is detailed somewhere handy. I tried searching the docs and the forums before asking this.
↧