Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After extracting a field with rex, what is the most efficient way to call stats on a specific value within this field?

pred15
Engager
‎07-14-2020 11:45 AM

Hi, any help with this would be appreciated!

 

rex field=msg.message "loc=(?<place>\d+)" | search place="16" | stats count by "place"

The extracted field is place. The specific place I am searching for is "16". Is there a more efficient way to search for a specific place before calling stats? 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2020 11:56 AM
Looks fine to me.
---
If this reply helps you, Karma would be appreciated.
Reply

pred15
Engager
‎07-14-2020 01:06 PM

@richgalloway Is there any more efficient way to do this such as bypassing the field extraction if I am only looking for a singular specific "place"?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2020 02:01 PM

I'm not sure if it's "more efficient", but you could try this search.  Compare this your other one using Job Inspector to see which works best.

| where match(msg.message, "loc=16")| stats count
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...