topic Re: How to count the results of a rex that returns multiple matches as a single group of matches? in Splunk Search

How to count the results of a rex that returns multiple matches as a single group of matches?

bschaap — Wed, 20 Sep 2017 14:15:08 GMT

I have results from a rex statement that looks something like the first set of results. The rex returns multiple matches per row. I am trying to use the stats function to group multiple matches as a single group (see Desired). However, my stats statement currently sees each match as a separate group (see Not Desired). Is there a way to return the Desired result?

Multi-match rex results
namespace
.........................................................
System.ServiceModel.Channels
System.ServiceModel.Dispatcher
..........................................................
System.ServiceModel.Channels
System.ServiceModel.Dispatcher
..........................................................

Statement
... |stats count by namespace

Desired
namespace count
.........................................................................................
System.ServiceModel.Channels 2
System.ServiceModel.Dispatcher
.........................................................................................

Not Desired
namespace count
.........................................................................................
System.ServiceModel.Channels 1
System.ServiceModel.Dispatcher 1
.........................................................................................

Re: How to count the results of a rex that returns multiple matches as a single group of matches?

cpetterborg — Wed, 20 Sep 2017 15:23:38 GMT

Not being able to see more of your search, and assuming a few things from what you said, I'd attempt the following:

<your search> | mvexpand namespace | stats count by namespace

Re: How to count the results of a rex that returns multiple matches as a single group of matches?

bschaap — Wed, 20 Sep 2017 15:43:51 GMT

I appreciate the response. Unfortunately, mvexpand namespace didn't do what I expected. This is my original search. The results return all the namespaces within the stacktrace for a row. I would like to group each set of matches within a stacktrace and return a count. Instead, it's grouping on each individual match. Hope this makes sense.

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace

Re: How to count the results of a rex that returns multiple matches as a single group of matches?

somesoni2 — Wed, 20 Sep 2017 16:36:39 GMT

Give this a try. The nomv command will convert your multivalued field to regular, linear field. This way the stats will treat them as one group, instead of individual values.

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace | nomv namespace | stats count by namespace | makemv namespace

Re: How to count the results of a rex that returns multiple matches as a single group of matches?

cpetterborg — Wed, 20 Sep 2017 16:44:03 GMT

OOPS. @somesoni2 got it right. I got my mv commands mixed up when I submitted, and I didn't check my answer first. Gotta make sure I check things before I submit!

Re: How to count the results of a rex that returns multiple matches as a single group of matches?

bschaap — Wed, 20 Sep 2017 17:13:50 GMT

It works! Thank everyone.