Monitoring Splunk

Quick and Dirty Keyword Search

stakor
Path Finder

I know that this can be done with a lookup, but I was wondering if there was a quick and dirty way to search through web traffic for like three keywords. For example:

bad1
bad2
bad3

I would like to break the keywords into counts. Normally you would do count by fieldName.

Is there a way to do this in SPL, and not have to create a lookup table for each time you go hunting for something? This would probably be used once or twice per set of keywords - that is why I am not trying to do a saved lookup.

0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

your base search bad1 OR bad2 OR bad3 
| eval keyword=case(searchmatch("bad1"),"bad1",searchmatch("bad2"),"bad2",searchmatch("bad3"),"bad3")
| stats count by keyword

OR

your base search bad1 OR bad2 OR bad3 
| rex max_match=0 "(?<keyword>(bad1|bad2|bad3)"
| stats count by keyword

View solution in original post

0 Karma

somesoni2
Revered Legend

Try something like this

your base search bad1 OR bad2 OR bad3 
| eval keyword=case(searchmatch("bad1"),"bad1",searchmatch("bad2"),"bad2",searchmatch("bad3"),"bad3")
| stats count by keyword

OR

your base search bad1 OR bad2 OR bad3 
| rex max_match=0 "(?<keyword>(bad1|bad2|bad3)"
| stats count by keyword

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!