N # of url formats

Follow
Avatar
Cory Wilkerson

Ok, looking to get a count of requests by "someId" in the following scenario:

Format 1: /foo?someId=s1234&nut=bang&baz=bar

Format 2: /foo?nut=bang&baz=bar&someId=s1234

Format 3: /foo?nut=bang&someId=s1234&baz=bar

I'd like to do something like:

parse "GET /*?" as uri | parse "?id=s*&" as some_id | parse "&id=s* " as some_id | where uri = "foo" | count by some_id

I realize that's not possible so what are my options? Is it possible to build a few searches and union those searches?

 

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Kevin Keech

    You should be able to do something like the following to pull the ID

    | parse regex "GET \/foo.*(?:&|\?)someId=s(?<some\_Id>.{4})"

    | count by some_Id

     

    The "where" is not necessary since you cover this as part of the parse expression and any messages that do not match the parse expression will be dropped.

     

    0
    Comment actions Permalink
  • Avatar
    Cory Wilkerson

    Perfect. Thanks.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post