Write custom rules for URL grouping in Splunk RUM π
Splunk RUM automatically groups URLs together based on default rules that capture errors and metrics, such as page load and route change duration, JavaScript errors, back-end errors, and Web vitals.
What are custom rules in Splunk RUM? π
Write custom rules to group together URLs with common components based on your specifications. Customizing rules allows you to streamline the organization of your data in Splunk RUM in a way that makes the most sense to you and your organization. You can group URLs by both path and domain.
You also need custom URL grouping rules to generate page-level metrics (rum.node.*
) in Splunk RUM.
Write a custom rule π
Follow these steps to write a custom rule:
Learn about your URLs. Identify the components and tokens.
Figure out what kind of results you want to see.
Review the pattern syntax and examples to better understand how to formulate rules that work for your data.
Reference the default rules and see if you need to deactivate any for your rule to work.
How to identify components of a URL π
Within the scope of Splunk RUM, there are the following components in a URL:
scheme
domain
path
fragment
Example π
Consider the following URL:
https://example.com/path/page#title
.
Here is how to break down this URL into components:
Component |
Example |
---|---|
Scheme |
|
Domain |
|
Paths |
|
Fragment |
|
How to identify tokens π
In terms of writing rules in Splunk RUM, a URL consists of two parts: a domain and a path. A token is exactly one word separated by either a β/β for a path or a β.β for a domain. The following definitions and examples illustrate how to identify tokens in your URLs so that you can write the best rules for your use case.
Domain π
The domain consists of a top-level domain and any prefixed subdomains. Host tokens are separated by the .
symbol. For example, subdomain.domain.com
is split into the following tokens: subdomain
, domain
, com
.
Path π
Path components are separated by a /
symbol. For example, https://example.com/documentation/section/topic
is split into the following tokens: documentation
, section
, topic
.
Support for # in URLs π
Single-page applications use a #
token at the end of a URL path to append the fragment. The following URL shows how blog posts from a single-page application are listed after the # symbol: https://example.com/#/blogpost
. By default, fragments after a # are ignored by Splunk RUM, unless you specify that you would like to include it in a rule. For example, the fragment #title
is excluded from the path in this example: https://example.com/path/page.html#title
.
Pattern syntax π
The following table shows the pattern, examples of URLs that match this pattern, and examples of URLs that donβt match the pattern.
What is a rule? π
In a rule, you define how you want to group together URLs based on common characteristics. To get started, first add a domain rule, then you can add a path rule.
What is a pattern? π
The pattern is the most important component of a rule. The pattern defines the common portion in the path or domain that is shared by all URLs that match the rule. Patterns also consist of tokens, like the domain and path in the URL. A wildcard in the pattern matches actual tokens in the URLβs path or domain. You can apply a wildcard to a pattern to match one or more tokens.
<?> Wildcard for single token π
This example shows how to use a <?>
symbol to apply a single token wildcard to group URLs by path.
Pattern |
Examples of paths that match |
Examples of paths that donβt match |
---|---|---|
|
|
|
<??> Wildcard for one or more trailing tokens π
This example shows how to use a <??>
wildcard to group together URLs by one or more tokens. The <??>
wildcard is supported only as the last wildcard in a pattern at this time.
Pattern |
Examples of paths that match |
Examples of tokens that donβt match |
---|---|---|
|
|
|
Combination pattern π
This example shows how to use a combination of wildcards to group together URLs by a pattern of several tokens.
Pattern |
Examples of paths that match |
Examples of paths that donβt match |
---|---|---|
|
|
|
Invalid syntax π
The following syntax is invalid:
Invalid syntax |
Explanation |
---|---|
|
Starting or ending a pattern with a β.β character. |
|
The |
|
Donβt mix the |
|
This pattern is invalid because the wildcard needs to be between two |
|
This pattern is invalid because the <??> wildcard is not separated by a β.β character. A valid pattern is |
|
A pattern for a path must start with a |
|
The <??> wildcard must be the last token in a pattern. |
|
The <?> wildcard must be separated by |
Default rules π
Note
You need at least one matching domain and path rule.
RUM has several default rules that you can find in the RUM URL grouping tab under Data Management. If you want to create a rule that conflicts with a default rule, you can deactivate the default rule globally, or by application.
Example π
This * wildcard matches any path that starts with /app/
.
Pattern |
Examples of paths that match |
Examples of paths that donβt match |
---|---|---|
|
|
|
Example π
The wildcard W*
applies to any token that doesnβt have any numbers in it. This pattern matches any path that starts with /app/
and is followed by tokens without numbers in it.
Pattern |
Examples of paths that match |
Examples of paths that donβt match |
---|---|---|
|
|
|
Use cases π
The following examples outline how to apply a rule to group URLs together according to the use case you want to solve.
Use a <?> wildcard to group URLs by product ID π
Suppose you are an online retailer and you want to group together URLs by product ID. In this example, the product ID is the letter, number combination after /merchandise/
in the path of the URL.
Example URLs |
Pattern |
Result |
---|---|---|
|
|
The result groups together all URLs with the same product ID:
|
For this example, you need to first create a domain rule like this:
Next, you can create the path rule:
Use a <?> wildcard to group by subdomain π
This example shows how to use a <?>
wildcard to group together URLs with the same subdomain.
Example URLs |
Pattern |
Result |
---|---|---|
|
|
The result groups together all URLs with the same subdomain: |
For example, here is how to create this rule:
Use a <??> wildcard to group by string π
Suppose you want to measure performance across v1 and v2 APIs for any function. This rule uses the <??>
to wildcard the remainder of the path.
Example URLs |
Rule |
Result |
---|---|---|
|
|
Groups together URLs by API function. |
For example, here is how to create this rule:
Manage URL grouping rules π
Host and path rules are combined to create the URL Name in the UI. Spans are retained for 8 days in Splunk RUM. For more, see Data retention in Splunk Observability Cloud. Changes to any rules apply only to incoming data.
Note
You need to create a domain rule first, then you can add a path rule. If you edit, deactivate, or delete a rule your changes apply only to future data and not data that was already ingested by Splunk RUM.
Create a new rule π
Follow these steps to create a new rule:
- There are four ways to access the Splunk RUM URL rule manager:
From the left navigation panel, select RUM> RUM Configuration> RUM URL Grouping Rules in the Application Summary dashboard.
From the left navigation panel, select Settings> RUM URL grouping Rules under Data Configuration.
From the RUM Overview dashboard, select RUM Configuration> RUM URL Grouping Rules.
From the RUM Tag Spotlight view, select the three dot settings button, then RUM URL Grouping Rules.
Select New Rule.
Select the URL token for which you want to write a rule.
Select the application(s) you want to monitor. If you donβt select an application, then the rule is applied to all.
Write the pattern by which you want to group URLs.
Select Create.
Edit an existing rule π
Follow these steps to edit an existing rule:
Navigate to the RUM URL rule manager.
Select the three dot symbol, then Edit.
Make your changes, then select Update.
Deactivate or reactivate a rule π
Follow these steps to deactivate or reactivate an existing rule. When you deactivate a rule, Splunk RUM stops processing incoming data according to this rule. If you choose to deactivate a rule and then activate it again in the future, the rule is not applied to data that was already ingested by Splunk RUM.
Navigate to the RUM URL rule manager.
- Select the three dot symbol, then Edit.
To activate the rule, click Activate.
To deactivate the rule, click Yes, deactivate this rule.
Delete π
Follow these steps to delete a rule:
Navigate to the RUM URL rule manager.
Select the three dot symbol, then Edit> Delete > Yes, delete this rule.