|
I am trying to get the total number of web server pages that match a given F5 load balancer iRule condition. Specifically, I have One source that contains the irules with a field called VERB (i.e. F5 starts_with OR contains) and the URI (i.e. /mydirectory1/ OR /mydirectory2/mypage.aspx, etc.) I want to take the values in the URI with a starts_with verb and 'join' them together with the web servers log field cs_uri_stem. The issue I think that I am running into is that the starts_with verb would really mean the search should be cs_uri_stem = VERB with an * wildcard at the end. Help!!!! |
|
This sounds like a job for a lookup (which I learned about only not too long ago myself)! Instead of having the F5 Irules in an index, can you make it a .csv? Stick it under your $SPLUNK_HOME/etc/system/lookups if you can. This way, you can do something like this: This will load up the csv, search for your starts with, returns URI as cs\_uri\_stem.. and then searches your web logs for that cs\_uri\_stem and does the counting you need. This is just off the top of my head, I haven't got a way to test it. Brian OK, I will try this, but how will I join it to the web server logs? Don't I need another query there
(01 Aug '11, 10:07)
approachct
I don't think it's a join, it's more of a loop - you're specifying "source=web_logs" (or whatever your web log source is). the "[|inputlookup ..." section is a subsearch that returns a cs_uri_stem in which to search your web logs for..
(01 Aug '11, 12:08)
Brian Osburn
|
