10.1.151.100 [18/May/2018:09:09:57 +0200] "GET http://example.com/DCQ/templates/GetAggregated?channel=TV&contentId=4ek4k4&lang=eng HTTP/1.1" 200 2856 hit 0.000111 hit - 154.176.135.239
10.1.51.16 [18/May/2018:09:20:42 +0200] "GET http://video-play.vodacom.co.za/AVS/besc?action=GetIsFavorite&channel=IPHONE&contentId=1200668 HTTP/1.1" 200 113 miss 0.007757 miss - 19.392.33.103
10.1.51.16 [18/May/2018:08:37:51 +0200] "GET http://example.com/AVS/besc?username=00007&channel=ANDROID&action=GetAccountList HTTP/1.1" 200 1516 miss 0.030941 miss - 203.122.32.11
I tried this but it does not print the ones with action=<> that are at the end of the url.
index=index-name_idx earliest=-1h | rex "(?i)action=(?P[^&]+)" |stats count by test
index=index-name_idx earliest=-1h | rex "(?i)action=(?P[^&]+|[\s]+)" |stats count by test
The result i get is:
CheckSession 444
DeleteFavourite 1
GetAccountList 116
GetAccountList HTTP/1.1" 200 1516 miss 0.030941 miss - 119.92.253.103 1
GetAccountList HTTP/1.1" 200 1898 miss 0.029884 miss - 119.92.253.103 1
GetAccountList HTTP/1.1" 200 1902 miss 0.023020 miss - 119.92.253.103 1
I want result for action=<> anything sorted by channel= and count but the key action could be anywhere in the URL and hence i dont get the exact count.
How do we use regex to find action=<> if it is at the end of the URL.
↧