Archive
Highlighted

Like command not working as expected - I need a count of each pattern that matches the source

Explorer

Here is my search, which does not return anything 😞 .The "source like Patterns" is not working.

index=cio_billing host=amsokennl01 | eval Day=strftime(now(),"%a") | lookup job_schedule2  Day as Day OUTPUT Pattern as Patterns | where source like Patterns | stats count as actual_count  BY Patterns   | table Patterns source Day actual_count

Pattern:

%arb_usg_mps%06%
arbor_collections
pst_nl_arb_payment_processing
%arbor_collections%16.30%
%arb_pay_emergency_payments%
%arb_usg_mps%12%

Source:

pst_pe_arb_usg_mps_2017.08.13_06.30.13.log
pst_pe_arbor_collections_2017.08.14_02.00.06.log
0 Karma
Highlighted

Re: Like command not working as expected - I need a count of each pattern that matches the source

Champion

What is the output you want? Do you need to compile each pattern?

<In case of just extracting>
    index=cio_billing host=amsokennl01
    [
    |inputlookup job_schedule2 
    | eval wk_Day=strftime(now(),"%a") 
    | where Day=wk_Day
    |rename Pattern as source
    |table source
    ]・・・・・

<Number of cases per pattern>    
    |inputlookup job_schedule2 
    | eval wk_Day=strftime(now(),"%a") 
    |where Day=wk_Day
    |map search="search index=cio_billing host=amsokennl01 source=$Pattern$ |stats count |table $Day$,$Pattern$,count"

    Pattern:※%->*
    *arb_usg_mps*06*
    arbor_collections
    pst_nl_arb_payment_processing
    *arbor_collections*16.30*
    *arb_pay_emergency_payments*
    *arb_usg_mps*12*
0 Karma
Highlighted

Re: Like command not working as expected - I need a count of each pattern that matches the source

Explorer

I need count of each Patterns matching the source

0 Karma
Highlighted

Re: Like command not working as expected - I need a count of each pattern that matches the source

Champion

The search sentence was corrected to the number of cases per pattern.

0 Karma
Highlighted

Re: Like command not working as expected - I need a count of each pattern that matches the source

Legend

Hi
let me better understand: you have a lookup with all the patterns you want to search as string or substring in your events, and then you want to use the found patterns in stats, is this correct?
I had this problem last year and i received a solution here https://answers.splunk.com/answers/479831/how-to-search-for-a-pair-of-substrings-in-a-subsea.html
The main problem is that to search from a lookup as string you have to use the "query" field but after search you haven't memory of the used "query".

So if could be useful only to search, you can use this

index=cio_billing host=amsokennl01 
[ | inputlookup job_schedule2 | search Day=strftime(now(),"%a") | rename Pattern AS Query  | fields query ]
| table source Day  _raw

If instead you want all the solution, you have to follow the below answer and trying something like this

index=cio_billing host=amsokennl01 
 [ | inputlookup job_schedule2 | search Day=strftime(now(),"%a") | rename Pattern AS Query  | fields query ]
| rename _raw as rawText
| eval Pattern=[
    | inputlookup job_schedule2 
    | rename Pattern AS Query 
    | stats values(query) AS query 
    | eval query=mvjoin(query,",") 
    | fields query 
    | format "" "" "" "" "" ""
    ]
| eval Pattern=split(Pattern,",") 
| mvexpand Pattern
| where like(rawText,Pattern)
| stats count as actual_count BY Patterns 
| table Patterns source Day actual_count

Bye.
Giuseppe

0 Karma