Aggregating WildCards in Sumologic
I'm trying to aggregate the API logs based on the different endpoints I have. There are a total of 4 endpoints:
1: /v1/vehicle_locations
2: /v1/vehicle_locations/id
3: /v1/driver_locations
4: /v1/driver_locations/id
The way I'm currently doing this is:
_sourceCategory=production | keyvalue auto | where (path matches "/v1/driver_locations" OR path matches "/v1/driver_locations/*" or path matches "/v1/vehicle_locations" or path matches "/v1/vehicle_locations/*") | count by path
The problem with this is that while I get the correct aggregate for /v1/vehicle_locations and /v1/driver_locations, I get individual results for /v1/driver_locations/id and /v1/vehicle_locations/id since the id is a wildcard. Is there a way I can aggregate these wildcards as well to show the total calls to /v1/driver_locations/id and /v1/vehicle_locations/id respectively?
-
Hi Kendrick,
I would try and use an IF statement to normalize the URLs with the variable IDs Ex.
_sourceCategory=production
| keyvalue auto
| where (path matches "/v1/driver_locations" OR path matches "/v1/driver_locations/*" or path matches "/v1/vehicle_locations" or path matches "/v1/vehicle_locations/*")
| if (path matches "/v1/driver_locations/*), "/v1/driver_locations/id", If(path matches "/v1/vehicle_locations/*", "/v1/vehicle_locations/id", path)) as path
| count by path -
Sorry I missed a quote when I typed that up. Fixed below.
_sourceCategory=production
| keyvalue auto
| where (path matches "/v1/driver_locations" OR path matches "/v1/driver_locations/*" or path matches "/v1/vehicle_locations" or path matches "/v1/vehicle_locations/*")
| if (path matches "/v1/driver_locations/*)", "/v1/driver_locations/id", If(path matches "/v1/vehicle_locations/*", "/v1/vehicle_locations/id", path)) as path
| count by path
Please sign in to leave a comment.
Comments
4 comments