I want to write a query to take the count if two non-consecutive string occurs in a statement. I am trying to do something like this, but this is not able to take logical AND operator in the match method :
Note : I want to use the query using eval only as in my larger query I have to perform some mathematical operation using more (different) eval variables.
| eval concatsearch=if(match(_raw,"String1 && String2"),1,0) |
eval ccount=if(match(_raw,"cc"),1,0) |
timechart span=1h
sum(concatsearch) as concatsearch,
sum(ccount) as ccount
There are many ways to do that, but this one should work:
| eval concatsearch=if(match(_raw,"String1"),1,0)*if(match(_raw,"String2"),1,0)
If either string is not matched, a zero value will result, if both match, a 1 value will result.
Thanks so much. It works. Love Splunk comunity.
Yeah, me too. Okay, if that solved your problem, then please "accept" the answer, so it will show as solved.
I just tried to re-run the query and doesn;t look like it is giving the data.. I fi run this query it does give me data
("String1" AND "String2") | timechart count span=1h |sort -_time
Can you please review your query above once
Also, the entire query I am running is :
| eval concatsearch=if(match(_raw,"String1"),1,0)*if(match(_raw,"String2"),1,0)
| timechart sum(concatsearch) span=1h
And I get 0 results, but those string are actually there. Am I doing something worng while using the sum and timechat ?