Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- use strings values as a variable to do stats
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=myindex ( "Sign-up experience experiment not allowed" OR "Sign-up experience experiment allowed" OR "experiments.1" )
SO, there are three string searches; the first tow differ in a "not" inside the text.
I would like to do a stats to count for the appearance of each, e.g.
| stats count by <var>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gsbpp
You can try something below to match and do a stats count.
index=myindex (
"Sign-up experience experiment not allowed"
OR "Sign-up experience experiment allowed"
OR "experiments.1"
)
| eval phrase=case(
searchmatch("Sign-up experience experiment not allowed"), "Sign-up experience experiment not allowed",
searchmatch("Sign-up experience experiment allowed"), "Sign-up experience experiment allowed",
searchmatch("experiments.1"), "experiments.1"
)
| stats count by phrase
Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gsbpp
You can try something below to match and do a stats count.
index=myindex (
"Sign-up experience experiment not allowed"
OR "Sign-up experience experiment allowed"
OR "experiments.1"
)
| eval phrase=case(
searchmatch("Sign-up experience experiment not allowed"), "Sign-up experience experiment not allowed",
searchmatch("Sign-up experience experiment allowed"), "Sign-up experience experiment allowed",
searchmatch("experiments.1"), "experiments.1"
)
| stats count by phrase
Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the searched-for strings are in a known field then you can use that field in the stats command.
index=myindex ( "Sign-up experience experiment not allowed" OR "Sign-up experience experiment allowed" OR "experiments.1" )
| stats count by fooOTOH, if the strings can be anywhere then it gets more involved. We need to create a field for the stats command to use.
index=myindex ( "Sign-up experience experiment not allowed" OR "Sign-up experience experiment allowed" OR "experiments.1" )
| eval foo=case(searchmatch("Sign-up experience experiment not allowed"),"Not allowed",
searchmatch("Sign-up experience experiment allowed"), "Allowed", searchmatch("experiments.1"), "Experiments",
1==1, "Other" )
| stats count by fooIf this reply helps you, Karma would be appreciated.
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
