https://community.splunk.com/t5/Splunk-Search/count-the-field-using-occurrences-of-string-in-the-field-value/m-p/525500#M148309 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227739">@goalkeeper</a>&nbsp;</P><P>See this demo example using your data&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="url,queryString http://host/getOrder,id=1&amp;id=2&amp;id=3 http://host/getUser,id=1&amp;id=2 http://host/getUser,id=2&amp;id=3" | multikv forceheader=1 | table url queryString | rex field=queryString max_match=0 "id=(?&lt;id&gt;\d+)" | eval ids=mvcount(id) | stats sum(ids) as ids by url</LI-CODE><P>What you want is from the rex statement down. This will</P><UL><LI>Extract the ids into a new field called id based on the regex</LI><LI>Count the number of ids found</LI><LI>Calculate the sum of ids by url</LI></UL><P>Hope this helps</P><P>&nbsp;</P> Tue, 20 Oct 2020 05:01:39 GMT bowesmana 2020-10-20T05:01:39Z https://community.splunk.com/t5/Splunk-Search/count-the-field-using-occurrences-of-string-in-the-field-value/m-p/525494#M148307 <P>I am very new to Splunk.</P><P>I have an access.log file, which contains the Url and&nbsp; querystring:</P><P>url&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;queryString</P><P data-unlink="true">http://host/getOrder&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;id=1&amp;id=2&amp;id=3</P><P data-unlink="true">http://host/getUser&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;id=1&amp;id=2&nbsp;</P><P data-unlink="true">http://host/getUser&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; id=2&amp;id=3&nbsp;</P><P>How could I&nbsp; count the url using the occurrence of "id" in the queryString?</P><P>So the result I want would be</P><P>Url&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;IdCount</P><P><A href="http://host/getOrder" target="_blank">http://host/getOrder</A>&nbsp; &nbsp; &nbsp; &nbsp; 3</P><P><A href="http://host/getUser" target="_blank">http://host/getUser</A>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;4</P><P>&nbsp;</P><P>Thanks in advance</P> Tue, 20 Oct 2020 04:36:54 GMT https://community.splunk.com/t5/Splunk-Search/count-the-field-using-occurrences-of-string-in-the-field-value/m-p/525494#M148307 goalkeeper 2020-10-20T04:36:54Z https://community.splunk.com/t5/Splunk-Search/count-the-field-using-occurrences-of-string-in-the-field-value/m-p/525500#M148309 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227739">@goalkeeper</a>&nbsp;</P><P>See this demo example using your data&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="url,queryString http://host/getOrder,id=1&amp;id=2&amp;id=3 http://host/getUser,id=1&amp;id=2 http://host/getUser,id=2&amp;id=3" | multikv forceheader=1 | table url queryString | rex field=queryString max_match=0 "id=(?&lt;id&gt;\d+)" | eval ids=mvcount(id) | stats sum(ids) as ids by url</LI-CODE><P>What you want is from the rex statement down. This will</P><UL><LI>Extract the ids into a new field called id based on the regex</LI><LI>Count the number of ids found</LI><LI>Calculate the sum of ids by url</LI></UL><P>Hope this helps</P><P>&nbsp;</P> Tue, 20 Oct 2020 05:01:39 GMT https://community.splunk.com/t5/Splunk-Search/count-the-field-using-occurrences-of-string-in-the-field-value/m-p/525500#M148309 bowesmana 2020-10-20T05:01:39Z https://community.splunk.com/t5/Splunk-Search/count-the-field-using-occurrences-of-string-in-the-field-value/m-p/525610#M148344 <P>It works. Thanks again.</P> Tue, 20 Oct 2020 17:06:40 GMT https://community.splunk.com/t5/Splunk-Search/count-the-field-using-occurrences-of-string-in-the-field-value/m-p/525610#M148344 goalkeeper 2020-10-20T17:06:40Z