Re: How do I individual count each of them in this...

thiruyadav17 · ‎03-20-2023

So, I wanted to Split the path into multiple events so that i can count whatever i want to count like active or dev or usa or etc.

We have few path i.e below

path=/dev/site/usa/active

path=/prod/site/usa/inactive

path=/dev/site/Germany/cleaning

path=/qa/site/Austria/maintenancemode

So now i want to count each of active by usa, dev
then I want to get the top 5 counts of it.

In the results i want to see the bar graph like
active
cleaning

maintenancemode

instead of whole path.

Note: I don't have backend access.

somesoni2 · ‎03-20-2023

Assuming the format of "path" including location of segments is static, you can extract each segment as separate field, like this

your current search which fetch field path
| rex field=path "\/(?<env>[^\/]+)\/site\/(?<country>[^\/]+)\/(?<status>[^\/]+)"

And then run your aggregation per your requirement

your current search which fetch field path
| rex field=path "\/(?<env>[^\/]+)\/site\/(?<country>[^\/]+)\/(?<status>[^\/]+)"
| stats count by env country status
| where country="usa" AND env="dev" AND status="active"
| sort 5 -count

ITWhisperer · ‎03-20-2023

| eval part=split(path,"/")
| stats count by part

How do I individual count each of them in this path?

field extraction

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Changes to Splunk Instructor-Led Training Completion Criteria