Databases Reference
In-Depth Information
With our event types in place, we can now build queries. The
Tag
value that we
included means we can search easily for only those events that match a section,
like the following:
tag::eventtype="summary_url" | top eventtype
The previous code returns a table as shown in the following screenshot:
Our results contain the new event types that we created, along with an unwanted
event type,
bogus
. Remember that all event type definitions that match an event
are attached. This is very powerful, but sometimes is not what you expect. The
bogus
event type definition is
*
, which means it matches everything. The
bogus
event type was added purely to illustrate the point and has no practical use.
Let's create a new field from our summary event type name, then aggregate
based on the new field:
tag::eventtype="summary_url"
| rex field=eventtype "url_(?P<section>.*)"
| stats count by section
The previous code gives us the results we are looking for, as shown in the
following screenshot:
This search finds only events that have defined event types, which may be what
you want. To group all other results into an "other" group, we instead need to
search for all events in the following manner:
sourcetype=impl_splunk_web
| rex field=eventtype "url_(?P<section>.*)"
| fillnull value="other" section
| stats count by section
Search WWH ::
Custom Search