https://community.splunk.com/t5/Splunk-Search/Extract-string-and-separate-results-by-different-strings/m-p/132181#M36038 <P>I have been looking for days for an answer to this on Splunk answers and elsewhere.<BR /><BR /> I have a query like this: <BR /> sourcetype="*-xxx01" (XXX0014 OR XXX0019 OR XXX0018 OR XXX0015) | timechart span=30m COUNT</P> <P>XXX014, XXX019, XXX018, XXX015 are all strings in each log entry (they are KPIs) (its either XXX014 or XXX019 or XXX018 or XXX015 obviously in each log entry). I am trying to get results returned that are in columns so I can separate the results based on these KPIs. This would be so easy if they were part of a field. I could use "by fieldname" but these aren't part of a field. I was hoping I could do "COUNT by sum(XXX0014) sum(XXX019) sum(XXX018) sum(XXX015)" but that doesn't work. Below is an example of a log entry. Any help would be greatly appreciated!! (ultimate goal is a timechart bar graph that separates by different string values in each span)</P> <P>2014-04-15 15:00:48,056 [INFO] [UUID=XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX subNo=XXXXXXXXXXX yhn=000000000] XXX0014: Ignored notification grant. cause=IgnoreNotificationException Ignore Grant Notification </P> <P>Where it says XXX0014... that is the value I want to separate my results with. </P> Tue, 15 Apr 2014 15:04:10 GMT EricLloyd79 2014-04-15T15:04:10Z https://community.splunk.com/t5/Splunk-Search/Extract-string-and-separate-results-by-different-strings/m-p/132181#M36038 <P>I have been looking for days for an answer to this on Splunk answers and elsewhere.<BR /><BR /> I have a query like this: <BR /> sourcetype="*-xxx01" (XXX0014 OR XXX0019 OR XXX0018 OR XXX0015) | timechart span=30m COUNT</P> <P>XXX014, XXX019, XXX018, XXX015 are all strings in each log entry (they are KPIs) (its either XXX014 or XXX019 or XXX018 or XXX015 obviously in each log entry). I am trying to get results returned that are in columns so I can separate the results based on these KPIs. This would be so easy if they were part of a field. I could use "by fieldname" but these aren't part of a field. I was hoping I could do "COUNT by sum(XXX0014) sum(XXX019) sum(XXX018) sum(XXX015)" but that doesn't work. Below is an example of a log entry. Any help would be greatly appreciated!! (ultimate goal is a timechart bar graph that separates by different string values in each span)</P> <P>2014-04-15 15:00:48,056 [INFO] [UUID=XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX subNo=XXXXXXXXXXX yhn=000000000] XXX0014: Ignored notification grant. cause=IgnoreNotificationException Ignore Grant Notification </P> <P>Where it says XXX0014... that is the value I want to separate my results with. </P> Tue, 15 Apr 2014 15:04:10 GMT https://community.splunk.com/t5/Splunk-Search/Extract-string-and-separate-results-by-different-strings/m-p/132181#M36038 EricLloyd79 2014-04-15T15:04:10Z https://community.splunk.com/t5/Splunk-Search/Extract-string-and-separate-results-by-different-strings/m-p/132182#M36039 <P>The easiest would be to get them extracted into a field, say <CODE>KPI</CODE>, and do a <CODE>timechart count by KPI</CODE>. For your sample event, you should be able to temporarily extract the field like this:</P> <PRE><CODE>base search | rex "\]\s+(?&lt;KPI&gt;\w+):" | timechart count by KPI </CODE></PRE> <P>If that works, move the extraction to the config (Settings -&gt; Fields -&gt; Field Extractions) so you can drop the <CODE>rex</CODE> call from the search. If your other KPIs are in differently looking events you can define multiple extractions that all yield the same field name.</P> Tue, 15 Apr 2014 15:47:03 GMT https://community.splunk.com/t5/Splunk-Search/Extract-string-and-separate-results-by-different-strings/m-p/132182#M36039 martin_mueller 2014-04-15T15:47:03Z https://community.splunk.com/t5/Splunk-Search/Extract-string-and-separate-results-by-different-strings/m-p/132183#M36040 <P>This worked beautifully... thank you!</P> Tue, 15 Apr 2014 16:19:56 GMT https://community.splunk.com/t5/Splunk-Search/Extract-string-and-separate-results-by-different-strings/m-p/132183#M36040 EricLloyd79 2014-04-15T16:19:56Z