topic How to count the numbers of occurrence for two value in Splunk Search

How to count the numbers of occurrence for two value

JyotiP — Mon, 16 Sep 2019 10:18:39 GMT

I have the following search:

sourcetype="placingOrder" Code=504 host="localhost*" | stats count by Path

The output is:

Path                            count
/api/fetchReport/v2/report1    2
/api/fetchReport/v2/report2    8
/api/fetchReport/v2/report3    3
/api/fetchReport/v2/report4   10
/api/Order/v2/OrdrePlaced        9
/api/Order/v3/OrdreNotPlaced    1

I want the output should be:

Path                   Module           count                   
fetchReport            report1          2
                       report2             8
                       report3             3
                       report4             10
Order               OrdrePlaced          9
                       OrdreNotPlaced       1

Re: How to count the numbers of occurrence for two value

kamlesh_vaghela — Mon, 16 Sep 2019 10:34:07 GMT

@JyotiP

Can you please try this?

sourcetype="placingOrder" Code=504 host="localhost*" | stats count by Path | rex field=Path "\/api\/(?<Path>.*)\/(v2|v3)\/(?<Module>.*)" | streamstats window=2 first(Path) as f_path count as c |
eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count

My Sample Search:

| makeresults | eval _raw=" Path                            count
 /api/fetchReport/v2/report1       2
 /api/fetchReport/v2/report2       8
 /api/fetchReport/v2/report3       3
 /api/fetchReport/v2/report4      10
 /api/Order/v2/OrdrePlaced         9
 /api/Order/v3/OrdreNotPlaced      1
" | multikv | rex field=Path "\/api\/(?<Path>.*)\/(v2|v3)\/(?<Module>.*)" | streamstats window=2 first(Path) as f_path count as c |
eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count

Re: How to count the numbers of occurrence for two value

JyotiP — Mon, 16 Sep 2019 10:42:09 GMT

@kamlesh_vaghela yeah this work. What does this streamstats do?

Re: How to count the numbers of occurrence for two value

wanip_fossil — Wed, 30 Sep 2020 02:11:33 GMT

Hi,

Inspite of stats count by Path, use "|table Path" .

Try below query

sourcetype="placingOrder" Code=504 host="localhost*" |table Path | rex field=Path "/api/(?\w+)/(?\w+)/(?\w+)" | stats count by field1 field3*

Re: How to count the numbers of occurrence for two value

kamlesh_vaghela — Mon, 16 Sep 2019 11:16:18 GMT

🙂

Adds cumulative summary statistics to all search results in a streaming manner. The streamstats command calculates statistics for each event at the time the event is seen.

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Streamstats

Re: How to count the numbers of occurrence for two value

JyotiP — Mon, 16 Sep 2019 15:14:55 GMT

@wanip_fossil I guess something wrong with the regex. I am getting an error in the regex.

Re: How to count the numbers of occurrence for two value

wanip_fossil — Wed, 30 Sep 2020 02:11:43 GMT

sourcetype="placingOrder" Code=504 host="localhost*" |table Path | rex field=Path "\/api\/(?\w+)\/(?\w+)\/(?\w+)" | stats count by field1 field3*

Please try now

Re: How to count the numbers of occurrence for two value

JyotiP — Mon, 16 Sep 2019 15:42:41 GMT

Getting the below error,
Error in 'rex' command: Encountered the following error while compiling the regex '\/api\/(?\w+)\/(?\w+)\/(?\w+)': Regex: unrecognized character after (? or (?-