I know that this can be done with a lookup, but I was wondering if there was a quick and dirty way to search through web traffic for like three keywords. For example:
bad1
bad2
bad3
I would like to break the keywords into counts. Normally you would do count by fieldName.
Is there a way to do this in SPL, and not have to create a lookup table for each time you go hunting for something? This would probably be used once or twice per set of keywords - that is why I am not trying to do a saved lookup.
Try something like this
your base search bad1 OR bad2 OR bad3
| eval keyword=case(searchmatch("bad1"),"bad1",searchmatch("bad2"),"bad2",searchmatch("bad3"),"bad3")
| stats count by keyword
OR
your base search bad1 OR bad2 OR bad3
| rex max_match=0 "(?<keyword>(bad1|bad2|bad3)"
| stats count by keyword
Try something like this
your base search bad1 OR bad2 OR bad3
| eval keyword=case(searchmatch("bad1"),"bad1",searchmatch("bad2"),"bad2",searchmatch("bad3"),"bad3")
| stats count by keyword
OR
your base search bad1 OR bad2 OR bad3
| rex max_match=0 "(?<keyword>(bad1|bad2|bad3)"
| stats count by keyword