https://community.splunk.com/t5/Splunk-Search/Can-I-define-string-buckets-with-regular-expressions-regex/m-p/193980#M55907 <P>As for smart clustering, you can always write a Python custom search command that does exactly what you need. Look at etc/apps/search/bin/pyrangemap.py for an outdated but easy to understand example.</P> <P>As for your regex-based bucketing, you can do that natively roughly like this (pseudosplunk):</P> <PRE><CODE>your search | eval mybucket = case(match(myfield, "myexpression1"), "mybucket1", match(myfield, "myexpression2"), "mybucket2", etc.) | (event)stats count by mybucket </CODE></PRE> <P>If you use <CODE>stats</CODE> you'll get just the count by mybucket as the result, if you use <CODE>eventstats</CODE> you'll get the count field added to each search result according to its value of mybucket.</P> Fri, 21 Mar 2014 15:12:12 GMT martin_mueller 2014-03-21T15:12:12Z https://community.splunk.com/t5/Splunk-Search/Can-I-define-string-buckets-with-regular-expressions-regex/m-p/193979#M55906 <P>Hello,</P> <P>Here is the data format: <BR /> 00:00:01 subject=A.A<BR /><BR /> 00:00:01 subject=B.A<BR /><BR /> 00:00:01 subject=A.A.A<BR /><BR /> 00:00:01 subject=A.B.A<BR /><BR /> ...</P> <P>I would like to count the events in buckets I would have defined with regular expressions.<BR /> For exemple here, I would like to define the following buckets: </P> <PRE><CODE>A\.A.* A\.[B-Z].* B.* [C-Z].* </CODE></PRE> <P>and count the event in each bucket.<BR /><BR /> It looks like rangemap only works with text fields.<BR /><BR /> Bucketdir doesn't seem to allow to define my buckets with regular expressions.</P> <P>Second question just in case, is there a smart function which creates clever buckets based on the repartition in the tree defined by the subject string?<BR /> By clever, I mean a function which groups a large semantic with few events together (eg: <CODE>[C-Z].*</CODE> ), but separate a precise semantic (eg <CODE>A\.A\.A.*</CODE>) because it contains more events. So in the end, all buckets are almost equal in size, so it's a very useful visual representation of where the events are in the tree, with some drill down in some parts of the tree.</P> <P>Just in case, somebody wonders, or for TAG research purpose:<BR /> I'm trying to do that to get a good representation of the repartition of TIBCO RV multicast data.</P> Wed, 19 Mar 2014 11:56:26 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-define-string-buckets-with-regular-expressions-regex/m-p/193979#M55906 manus 2014-03-19T11:56:26Z https://community.splunk.com/t5/Splunk-Search/Can-I-define-string-buckets-with-regular-expressions-regex/m-p/193980#M55907 <P>As for smart clustering, you can always write a Python custom search command that does exactly what you need. Look at etc/apps/search/bin/pyrangemap.py for an outdated but easy to understand example.</P> <P>As for your regex-based bucketing, you can do that natively roughly like this (pseudosplunk):</P> <PRE><CODE>your search | eval mybucket = case(match(myfield, "myexpression1"), "mybucket1", match(myfield, "myexpression2"), "mybucket2", etc.) | (event)stats count by mybucket </CODE></PRE> <P>If you use <CODE>stats</CODE> you'll get just the count by mybucket as the result, if you use <CODE>eventstats</CODE> you'll get the count field added to each search result according to its value of mybucket.</P> Fri, 21 Mar 2014 15:12:12 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-define-string-buckets-with-regular-expressions-regex/m-p/193980#M55907 martin_mueller 2014-03-21T15:12:12Z