count if two nonconsecutive string occurs in a sta...

ataunk · ‎04-14-2020

I want to write a query to take the count if two non-consecutive string occurs in a statement. I am trying to do something like this, but this is not able to take logical AND operator in the match method :

Note : I want to use the query using eval only as in my larger query I have to perform some mathematical operation using more (different) eval variables.

| eval concatsearch=if(match(_raw,"String1 && String2"),1,0) |
eval ccount=if(match(_raw,"cc"),1,0) |
timechart span=1h
sum(concatsearch) as concatsearch,
sum(ccount) as ccount

DalJeanis · ‎04-14-2020

There are many ways to do that, but this one should work:

  | eval concatsearch=if(match(_raw,"String1"),1,0)*if(match(_raw,"String2"),1,0)

If either string is not matched, a zero value will result, if both match, a 1 value will result.

ataunk · ‎04-14-2020

Thanks so much. It works. Love Splunk comunity.

DalJeanis · ‎04-15-2020

Yeah, me too. Okay, if that solved your problem, then please "accept" the answer, so it will show as solved.

ataunk · ‎04-15-2020

I just tried to re-run the query and doesn;t look like it is giving the data.. I fi run this query it does give me data

("String1" AND "String2") | timechart count span=1h |sort -_time

Can you please review your query above once

ataunk · ‎04-15-2020

Also, the entire query I am running is :

| eval concatsearch=if(match(_raw,"String1"),1,0)*if(match(_raw,"String2"),1,0)
| timechart sum(concatsearch) span=1h

And I get 0 results, but those string are actually there. Am I doing something worng while using the sum and timechat ?

count if two nonconsecutive string occurs in a statement

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms