topic Re: fomation in pattern matching- please help urgently in Splunk Search

fomation in pattern matching- please help urgently

abhayneilam — Sat, 27 Oct 2012 17:00:40 GMT

I have 2 keywords and I am running query :

Out of two keywords ( kol,delhi), Location field is matching only "kol" keyword and I am getting my output as :

kol 10
but I want to get my output as

kol 10
delhi 0

because if there is no match then it should print 0 along with the keyword as above

Please help me to get the output, if pattern doesnot match, it should print 0 along with the pattern ( 0 will represent that there is not such pattern )

Please help !! this is really urgent

Re: fomation in pattern matching- please help urgently

gkanapathy — Sat, 27 Oct 2012 18:20:21 GMT

http://splunk-base.splunk.com/answers/62196/any-way-to-return-zero-result-count-stats-of-a-field-such-as-the-host-or-sourcteype-field?page=1&focusedAnswerId=62594#62594 may help

Re: fomation in pattern matching- please help urgently

abhayneilam — Sat, 27 Oct 2012 19:03:00 GMT

Thanks gkanapathy for this link :

But I am getting a bit confused with the ans given to this link :

Could you please ( its heartly request ) help me to my query :

please help me if any of the keyword is not matching the field "Location" then it should display the keyword along with 0..

Thanks in Advance !! Please

Re: fomation in pattern matching- please help urgently

yannK — Sun, 28 Oct 2012 14:31:20 GMT

Fields names are case sensitive. Please be consistent in your usage. ( don't use one then ONE)

Re: fomation in pattern matching- please help urgently

abhayneilam — Mon, 29 Oct 2012 05:04:55 GMT

By mistaken I have used "one" instead of "ONE"

Above is my query now let me know how do i proceed

Re: fomation in pattern matching- please help urgently

Ayn — Mon, 29 Oct 2012 05:37:06 GMT

You still mix one and ONE. Proceed by fixing that.

Re: fomation in pattern matching- please help urgently

abhayneilam — Mon, 29 Oct 2012 09:43:10 GMT

Now, Please help me to get the solution

Re: fomation in pattern matching- please help urgently

yannK — Mon, 29 Oct 2012 17:05:15 GMT

Without any sample we cannot test your search.

If your events contains a single value in the field Location, you probably don't need 2 searches, a single one can do the trick.
Also I don't know if your regex is supposed to match "kol" or kol.
Also, the rex command expect | rex field=namofthefield "regexexpression"

example :

index="maa"  kol OR delhi 
| table Name Age Location 
| rex field=Location "(?(?i)kol|delhi)"
| eval one=lower(one) 
|stats count(one) by one

Re: fomation in pattern matching- please help urgently

abhayneilam — Mon, 29 Oct 2012 18:23:10 GMT

my rex is absoutely working fine separately for each keyword,when I am giving it ( kol | delhi ) it is not mathing everything, More over this is not my question , My question is very well defined in my first post but I am still un-answered, I am seeking for the value 0 if my keyword is not matching with the field ( that is my question that how to get 0 count )

Re: fomation in pattern matching- please help urgently

yannK — Mon, 29 Oct 2012 18:40:40 GMT

ok,if the second sub search doesn't return any result, then there will be nothing to append and splunk will not display it.

The workaround for this is to write a list of your expected lines, and store them in a csv file or a lookup
example file city_list.csv with a column header.



city, country

delhi, india

kol, india

moscow,russia

you can upload the file with the manager, or generate the file with the result of a search (see outputloookup)

Then during your search use a OUTER JOIN on the city name to match the list to your results, and at the very end, replace the missing values per "zero"

for details :

lookups
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Inputlookup
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Outputlookup
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions

join http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Join