https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/645002#M223373 <P>Luckily each test segment is delimited by comma. &nbsp;You can use that to break the raw input into individual events, like this:</P><LI-CODE lang="markup">| eval data = split(_raw, ",") | mvexpand data | rename data AS _raw | extract</LI-CODE><P>Ultimately, though, your developer should consider breaking the events in raw logs.</P><P>Below is data emulation you can play with and compare with your real data.</P><LI-CODE lang="markup">| makeresults | eval _raw = "code =test1 description=test1 description status = pending,code =test2 description=test2 description status = COMPLTED, code =test3 description=test3 description status = COMPLETED_FIRST,code =test2 description=test2 description status = COMPLTE." ``` data emulation above ```</LI-CODE><P>&nbsp;</P> Tue, 30 May 2023 07:31:19 GMT yuanliu 2023-05-30T07:31:19Z https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/644923#M223334 <P>I have an input string&nbsp; which contains strings like code =test1&nbsp; description=test1 description status = pending,code =test2&nbsp; description=test2 description status = COMPLTED,&nbsp;code =test3&nbsp; description=test3 description status = COMPLETED_FIRST,code =test2&nbsp; description=test2 description status = COMPLTED,</P> <P>Expected Ouput&nbsp;</P> <P>Code&nbsp; &nbsp;count&nbsp;</P> <P>test2&nbsp; &nbsp; &nbsp;2</P> <P>test3&nbsp; &nbsp; &nbsp; 1</P> <P>Basically i&nbsp; am looking for whose status is completed or starts with completed word&nbsp; those code name and completion count in the result. Can anyone please help me on this.</P> Tue, 30 May 2023 03:51:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/644923#M223334 ABHAYA 2023-05-30T03:51:20Z https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/644927#M223336 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254969">@ABHAYA</a>.,</P><P>if you want to know only the codes where the status is "COMPLETED", you could run:</P><LI-CODE lang="markup">index=your_index status=COMPLETED | stats count BY Code</LI-CODE><P>if you want also add all the information about status, you could run:</P><LI-CODE lang="markup">index=your_index | stats count BY Code status</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 29 May 2023 12:54:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/644927#M223336 gcusello 2023-05-29T12:54:40Z https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/644932#M223340 <P><SPAN>code =test1&nbsp; description=test1 description status = pending,code =test2&nbsp; description=test2 description status = COMPLTED,&nbsp;code =test3&nbsp; description=test3 description status = COMPLETED_FIRST,code =test2&nbsp; description=test2 description status = COMPLTE. This&nbsp; input is a single string. I do not have&nbsp; data in table format.I tried with the solution provided by you .it is not working</SPAN></P> Mon, 29 May 2023 13:19:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/644932#M223340 ABHAYA 2023-05-29T13:19:35Z https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/644936#M223343 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254969">@ABHAYA</a>,</P><P>if you have all the fields in the same event, you have to divide it using something like this:</P><LI-CODE lang="markup">| makeresults | eval _raw="code =test1 description=test1 description status = pending,code =test2 description=test2 description status = COMPLTED, code =test3 description=test3 description status = COMPLETED_FIRST,code =test2 description=test2 description status = COMPLTE." | rex max_match=0 "(?&lt;event&gt;[^,\.]+)" | mvexpand event | rex field=event "code\s*\=\s*(?&lt;code&gt;\w*)" | rex field=event "status\s*\=\s*(?&lt;status&gt;\w*)" | stats count BY code status</LI-CODE><P>when you arrive at the last raw, you can aggregate as you like.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 29 May 2023 13:35:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/644936#M223343 gcusello 2023-05-29T13:35:55Z https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/644938#M223345 <LI-CODE lang="markup">| rex max_match=0 "code\s*=\s*(?&lt;code&gt;\S+)" | stats count by code</LI-CODE> Mon, 29 May 2023 13:41:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/644938#M223345 ITWhisperer 2023-05-29T13:41:04Z https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/645002#M223373 <P>Luckily each test segment is delimited by comma. &nbsp;You can use that to break the raw input into individual events, like this:</P><LI-CODE lang="markup">| eval data = split(_raw, ",") | mvexpand data | rename data AS _raw | extract</LI-CODE><P>Ultimately, though, your developer should consider breaking the events in raw logs.</P><P>Below is data emulation you can play with and compare with your real data.</P><LI-CODE lang="markup">| makeresults | eval _raw = "code =test1 description=test1 description status = pending,code =test2 description=test2 description status = COMPLTED, code =test3 description=test3 description status = COMPLETED_FIRST,code =test2 description=test2 description status = COMPLTE." ``` data emulation above ```</LI-CODE><P>&nbsp;</P> Tue, 30 May 2023 07:31:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-count-of-certain-text-using-Splunk-regular/m-p/645002#M223373 yuanliu 2023-05-30T07:31:19Z