Help on Splunk query

suvi6789 — Sat, 23 Mar 2024 22:26:13 GMT

Hi,
I have 4 fields in my index
ID, Method, URL, HTTP_responsecode

ID is in the form of XXXX-YYYY-ZZZZ-AAAA,
Now, I want to delimit the ID column and extract YYYY value then run a stats command with the delimited value by HTTP_responsecode

Something as below

Delimited_ID	HTTP_responsecode	Count
YYYY	200	10

Please could you help on how to delimit the value in the above format mentioned and how to use the new delimited value in a stats command

Re: Help on Splunk query

richgalloway — Sun, 24 Mar 2024 00:11:08 GMT

There are a couple of ways to get the desired field from the ID.

| rex field=ID "-(?<Delimited_ID>[^-]+)" ``` OR ``` | eval tmp = split(ID, "-") | eval Delimited_ID = mvindex(tmp,1)

Use the new field in a stats command just as you would any other field.

| stats count as Count by Delimited_ID, HTTP_responsecode

topic Re: Help on Splunk query in Splunk Search

Help on Splunk query

Re: Help on Splunk query