https://community.splunk.com/t5/Splunk-Search/How-to-select-particular-path-using-where/m-p/478655#M192883 <P>@JyotiP <BR /> Please check my UPDATED answer.</P> Wed, 06 Nov 2019 05:30:05 GMT kamlesh_vaghela 2019-11-06T05:30:05Z https://community.splunk.com/t5/Splunk-Search/How-to-select-particular-path-using-where/m-p/478652#M192880 <P>I have the followinf query </P> <PRE><CODE> sourcetype="server" host=*localqa* | stats count by Path | rex field=Path "\/api\/(?&lt;Path&gt;.*)\/(v1|v2|v3)\/(?&lt;Module&gt;.*)" | streamstats window=2 first(Path) as f_path count as c | eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count </CODE></PRE> <P>The output of the above query is </P> <PRE><CODE>+-------------------------------------------------------------------------------+ |Path | Module |count | +-------------------------------------------------------------------------------+ |profile | profileTravellroute |212 | |statements/trialbalance | trialbalance |14 | |iteneries/breakout | execution |1041 | | | orderDetails |117 | |reporting/trans | schemes |712 | | | fixedIncome |40 | |reporting | FinalizedReports |161 | | | PendingReports |8 | | | reportEntries |14 | | | closedReport |22 | | | reportTimes |82 | | | Reportposition |40 | | | ReportStates |68 | +-------------------------------------------------------------------------------+ </CODE></PRE> <P>I want to select records only for reporting </P> <PRE><CODE>+-------------------------------------------------------------------------------+ |Path | Module |count | +-------------------------------------------------------------------------------+ |reporting/trans | schemes |712 | | | fixedIncome |40 | |reporting | FinalizedReports |161 | | | PendingReports |8 | | | reportEntries |14 | | | closedReport |22 | | | reportTimes |82 | | | Reportposition |40 | | | ReportStates |68 | +-------------------------------------------------------------------------------+ </CODE></PRE> <P>Tried with </P> <PRE><CODE>sourcetype="server" host=*localqa* | stats count by Path | rex field=Path "\/api\/(?&lt;Path&gt;.*)\/(v1|v2|v3)\/(?&lt;Module&gt;.*)" | streamstats window=2 first(Path) as f_path count as c | eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | where Like (Path, 'reporting%') | table Path Module count </CODE></PRE> <P>But not working only the following section are coming</P> <PRE><CODE> +------------------------------------------------------------------------------------------------+ |Path |Module |Count | +------------------------------------------------------------------------------------------------+ |reporting/trans | schemes |712 | | fixedIncome |40 | </CODE></PRE> Tue, 05 Nov 2019 12:38:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-select-particular-path-using-where/m-p/478652#M192880 JyotiP 2019-11-05T12:38:27Z https://community.splunk.com/t5/Splunk-Search/How-to-select-particular-path-using-where/m-p/478653#M192881 <P>@JyotiP </P> <P>Can you please try these ?</P> <PRE><CODE>sourcetype="server" host=*localqa* | stats count by Path | rex field=Path "\/api\/(?&lt;Path&gt;.*)\/(v1|v2|v3)\/(?&lt;Module&gt;.*)" | streamstats window=2 first(Path) as f_path count as c | eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count </CODE></PRE> <P>OR</P> <PRE><CODE>sourcetype="server" host=*localqa* | stats count by Path | rex field=Path "\/api\/(?&lt;Path&gt;.*)\/(v1|v2|v3)\/(?&lt;Module&gt;.*)" | streamstats window=2 first(Path) as f_path count as c | eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | where like(Path,"%reporting%") | table Path Module count </CODE></PRE> <P><STRONG>UPDATED Answer:</STRONG></P> <PRE><CODE>sourcetype="server" host=*localqa* | stats count by Path | rex field=Path "\/api\/(?&lt;Path&gt;.*)\/(v1|v2|v3)\/(?&lt;Module&gt;.*)" | streamstats window=2 first(Path) as f_path count as c | eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | streamstats window=2 last(Path) as Lpath | eval Lpath=if(Lpath!="",Lpath,NULL) | filldown Lpath | where like(Lpath,"%reporting%") | table Path Module Count </CODE></PRE> <P><STRONG>Sample Search:</STRONG></P> <PRE><CODE>| makeresults | eval Path="profile", Module="profileTravellroute", Count="212" | append [ | makeresults | eval Path="statements/trialbalance", Module="trialbalance", Count="12" ] | append [ | makeresults | eval Path="iteneries/breakout", Module="execution", Count="121" ] | append [ | makeresults | eval Path="", Module="orderDetails", Count="129" ] | append [ | makeresults | eval Path="reporting/trans", Module="schemes", Count="127" ] | append [ | makeresults | eval Path="", Module="fixedIncome", Count="122" ] | append [ | makeresults | eval Path="reporting", Module="FinalizedReports", Count="125" ] | append [ | makeresults | eval Path="", Module="reportEntries", Count="122" ] | append [ | makeresults | eval Path="", Module="Reportposition", Count="123" ] | table Path Module Count | streamstats window=2 last(Path) as Lpath | eval Lpath=if(Lpath!="",Lpath,NULL) | filldown Lpath | where like(Lpath,"%reporting%") | table Path Module Count </CODE></PRE> <P>Thanks</P> Tue, 05 Nov 2019 12:52:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-select-particular-path-using-where/m-p/478653#M192881 kamlesh_vaghela 2019-11-05T12:52:27Z https://community.splunk.com/t5/Splunk-Search/How-to-select-particular-path-using-where/m-p/478654#M192882 <P>@kamlesh_vaghela only one record from each path is retrieving in both the query, I want all the records</P> Tue, 05 Nov 2019 13:22:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-select-particular-path-using-where/m-p/478654#M192882 JyotiP 2019-11-05T13:22:42Z https://community.splunk.com/t5/Splunk-Search/How-to-select-particular-path-using-where/m-p/478655#M192883 <P>@JyotiP <BR /> Please check my UPDATED answer.</P> Wed, 06 Nov 2019 05:30:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-select-particular-path-using-where/m-p/478655#M192883 kamlesh_vaghela 2019-11-06T05:30:05Z