I am trying to report on user web activity to a particular category as well as list the URLs in that category. I have the following so far.
Search...
| eval MB = bytes_to_server/1024/1024
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)
This works, but I would like to consolidate some of the URLs. For example, I would like to just make lb1.cloudsite.com, lb2.cloudsite.com, etc into 1 url of cloudsite.com
I attempted using the following eval and it works, but I am left with no other results. I read up on the case function and I understand why it does that, but I am still looking for another function that will do that as well as leave me with the other results that do not match.
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com")
↧