All Apps and Add-ons

How to count the number of matches of a string within an event?

zthomas
Explorer

I am using the Splunk App for *nix to gather netstat data, and I am trying to find the number of connections to the port 44221. I am using this search string, but am unable to figure out how to get a count of the occurrences within each event since there are no obvious fields, it is just formatted like the netstat command from the terminal.

index=os sourcetype="netstat" host="hostname" 44221

The command successfully highlights each line with that port number, so I imagine there has to be a very simple way to get the count of matches within each event, but I haven't found it yet.

0 Karma
1 Solution

sundareshr
Legend

If index=os sourcetype="netstat" host="hostname" 44221 | stats count doesn't give you what you are looking for, try using rex to extract the values into a field. You could do something like this (assuming your terminal command is netstat -e)

 index=os sourcetype="netstat" host="hostname" 44221 | rex ":(?<port>\d+)" | stats count by port

View solution in original post

sundareshr
Legend

If index=os sourcetype="netstat" host="hostname" 44221 | stats count doesn't give you what you are looking for, try using rex to extract the values into a field. You could do something like this (assuming your terminal command is netstat -e)

 index=os sourcetype="netstat" host="hostname" 44221 | rex ":(?<port>\d+)" | stats count by port

zthomas
Explorer

Thanks for your quick reply!

index=os sourcetype="netstat" host="hostname" 44221 | stats count just gives me the number of events that contain 44221, which is just the same as the time I'm searching because it is indexed once per minute.

index=os sourcetype="netstat" host="hostname" 44221 | rex ":(?\d+)" | stats count by port seems to only pull out the first port that is listed by the netstat in each event (which happens to be 32000 for me) and count those, which again is just the same as the time period being searched. I think this is on the right track, but I need to to grab specifically the port 44221, and I also need it to count every occurrence of that in each event and display it as a running total.

0 Karma

sundareshr
Legend

If an event can have multiple occurrences, you can add a max_match=0 to the rex command that will capture all occurrences. Then you could use mvcount() or other multi-value functions to manipulate that field. Something like this

index=os sourcetype="netstat" host="hostname" 44221 | rex max_match=0 ":(?<port>\d+)" | eval c=mvcount(port)  

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/rex

http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Parsemultivaluefields

0 Karma

zthomas
Explorer

Thanks, this did it for me! to add for anyone who finds this in the future, my final search was

index=os sourcetype="netstat" host="hostname" | rex max_match=0 ":(?<port>4422\d|5432)" | eval c=mvcount(port) | stats c by port

I used ":(?4422\d|5432)" which matched only the ports I cared about, and the stats c by port gave me a pretty chart of the data.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...