topic How to get stats on a string and name the string as a column in Splunk Search

How to get stats on a string and name the string as a column

maddenm2 — Wed, 04 Dec 2019 15:47:29 GMT

ProxyName=PLB and ("/policies" OR "/bills") stats count by ProxyName

I want the string "/policies" or "/bills" to be in a column name TYPE with the counts for each string.

Re: How to get stats on a string and name the string as a column

oscar84x — Wed, 04 Dec 2019 16:36:19 GMT

Could you provide event samples that contain both types? Have you considered extracting the field "type". Please provide some more data so we can see what you're working with.

Re: How to get stats on a string and name the string as a column

woodcock — Wed, 04 Dec 2019 18:14:53 GMT

Like this (upper-casing of AND is VERY important):

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND ProxyName="PLB" AND ("/policies" OR "/bills")
| eval TYPE = if(searchmatch("/policies"), "policies", "bills")
| stats COUNT BY TYPE ProxyName

Or better yet, like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND ProxyName="PLB" AND ("/policies" OR "/bills")
| eval TYPE = if(searchmatch("/policies"), "policies", "bills")
| chart COUNT BY TYPE ProxyName

Or even better, like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND ProxyName="PLB" AND ("/policies" OR "/bills")
| stats count AS TOTAL count(eval(searchmatch("/policies"))) AS policies count(eval(searchmatch("/bills"))) AS bills BY ProxyName