So I have these type of logs:
[2023-03-24 12:38:38,774] [INFO] - Tool - Finished scan cycle #20 for top URL = https://www.website.com/tool/ . Channel = mobile . Duration = 2h 52m 50s (seconds = 10370) . Total visited URLs = 3527. Max depth reached = 6.
[2023-03-24 09:45:38,482] [INFO] - Tool - Finished scan cycle #19 for top URL = https://www.website.com/tool/ . Channel = mobile . Duration = 2h 36m 10s (seconds = 9370) . Total visited URLs = 3326. Max depth reached = 6.
And my search looks like this:
index="xxxxx" sourcetype="xxxxx" host="xxxxx" AND "Finished scan cycle" AND "/tool"
| timechart min(seconds)
And I want to update the search to display only the logs which contains Total visited URLs < a value i will set eg. 3000.
For now I have the regex URLs\s=\s(?<value>\d+). but I don't know how to use this in splunk to search by this value.
To filter on the visited URL count, put your regex in a rex command to extract the count from the event. Then use the where command to keep only the desired values.
index="xxxxx" sourcetype="xxxxx" host="xxxxx" AND "Finished scan cycle" AND "/tool"
| rex "URLs\s=\s(?<value>\d+)"
| where value < 3000
| timechart min(seconds)