https://community.splunk.com/t5/Splunk-Search/How-get-a-total-count-based-on-the-substring-value/m-p/646875#M223886 <P>Below is the splunk query,&nbsp; (My.Message has many various types of messages but the below one is what I wanted)<BR /><BR />index="myIndex" app_name="myappName"&nbsp; My.Message = "*symbolName:*"&nbsp;<BR /><BR />When I run the above query, I get the below results:</P> <P><SPAN>myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009</SPAN></P> <P><SPAN>myappstatus got Ended, symbolName: GOOGL ElapsedTime: 0.0005339</SPAN></P> <P><SPAN>myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0005339<BR /><BR />Please help on the following:&nbsp;<BR />1) How to get the Total count of the query (Visualization) only for My.Message = "*symbolName:*"&nbsp;<BR />2) How to split the string "myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009"&nbsp;<BR />3) How to create a table for "symbolName", "Total Count", "ElapsedTime"<BR /><BR />(for example,&nbsp;symbolName: AAPL,&nbsp;Total Count = 2 and&nbsp;ElapsedTime =&nbsp;0.0007348 (0.0002009 +&nbsp;0.0005339)<BR /><BR />Thanks<BR /><BR /></SPAN></P> Wed, 14 Jun 2023 23:47:06 GMT Sureshp191 2023-06-14T23:47:06Z https://community.splunk.com/t5/Splunk-Search/How-get-a-total-count-based-on-the-substring-value/m-p/646875#M223886 <P>Below is the splunk query,&nbsp; (My.Message has many various types of messages but the below one is what I wanted)<BR /><BR />index="myIndex" app_name="myappName"&nbsp; My.Message = "*symbolName:*"&nbsp;<BR /><BR />When I run the above query, I get the below results:</P> <P><SPAN>myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009</SPAN></P> <P><SPAN>myappstatus got Ended, symbolName: GOOGL ElapsedTime: 0.0005339</SPAN></P> <P><SPAN>myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0005339<BR /><BR />Please help on the following:&nbsp;<BR />1) How to get the Total count of the query (Visualization) only for My.Message = "*symbolName:*"&nbsp;<BR />2) How to split the string "myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009"&nbsp;<BR />3) How to create a table for "symbolName", "Total Count", "ElapsedTime"<BR /><BR />(for example,&nbsp;symbolName: AAPL,&nbsp;Total Count = 2 and&nbsp;ElapsedTime =&nbsp;0.0007348 (0.0002009 +&nbsp;0.0005339)<BR /><BR />Thanks<BR /><BR /></SPAN></P> Wed, 14 Jun 2023 23:47:06 GMT https://community.splunk.com/t5/Splunk-Search/How-get-a-total-count-based-on-the-substring-value/m-p/646875#M223886 Sureshp191 2023-06-14T23:47:06Z https://community.splunk.com/t5/Splunk-Search/How-get-a-total-count-based-on-the-substring-value/m-p/646891#M223892 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/257729">@Sureshp191</a>&nbsp;<BR /><BR />Based on the example events provided, here's some demonstration run anywhere code showing a method to do what you want...</P><LI-CODE lang="markup">| makeresults | eval raw="myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009 myappstatus got Ended, symbolName: GOOGL ElapsedTime: 0.0005339 myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0005339" | eval raw=split(raw, " ") | mvexpand raw | rename raw AS _raw ``` the above is just creating dummy events to test the following SPL code with ``` | rex "symbolName: (?&lt;symbolName&gt;\w+) ElapsedTime: (?&lt;ElapsedTime&gt;[^\s]+)" | eventstats count AS "Total Count" list(ElapsedTime) AS listElapsedTime sum(ElapsedTime) AS "Total ElapsedTime" BY symbolName | table symbolName "Total Count" "Total ElapsedTime"</LI-CODE><P>&nbsp;Hope that helps</P> Wed, 14 Jun 2023 01:13:51 GMT https://community.splunk.com/t5/Splunk-Search/How-get-a-total-count-based-on-the-substring-value/m-p/646891#M223892 yeahnah 2023-06-14T01:13:51Z https://community.splunk.com/t5/Splunk-Search/How-get-a-total-count-based-on-the-substring-value/m-p/646904#M223899 <P>Thanks, I got the output but symbolName AAPL is duplicated<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Snag_682940b.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/25824i196948DFB206E5C1/image-size/large?v=v2&amp;px=999" role="button" title="Snag_682940b.png" alt="Snag_682940b.png" /></span>.&nbsp;</P> Wed, 14 Jun 2023 04:22:49 GMT https://community.splunk.com/t5/Splunk-Search/How-get-a-total-count-based-on-the-substring-value/m-p/646904#M223899 Sureshp191 2023-06-14T04:22:49Z https://community.splunk.com/t5/Splunk-Search/How-get-a-total-count-based-on-the-substring-value/m-p/646910#M223904 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/257729">@Sureshp191</a>&nbsp;<BR /><BR />OK, to dedup&nbsp; results do it this way...</P><LI-CODE lang="markup">index="myIndex" app_name="myappName" My.Message = "*symbolName:*" | rex "symbolName: (?&lt;symbolName&gt;\w+) ElapsedTime: (?&lt;ElapsedTime&gt;[^\s]+)" | stats count AS "Total Count" sum(ElapsedTime) AS "Total ElapsedTime" BY symbolName</LI-CODE><P>&nbsp;</P> Wed, 14 Jun 2023 05:07:16 GMT https://community.splunk.com/t5/Splunk-Search/How-get-a-total-count-based-on-the-substring-value/m-p/646910#M223904 yeahnah 2023-06-14T05:07:16Z