Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After extracting a field with rex, what is the most efficient way to call stats on a specific value within this field?

pred15
Engager
‎07-14-2020 11:45 AM

Hi, any help with this would be appreciated!

 

rex field=msg.message "loc=(?<place>\d+)" | search place="16" | stats count by "place"

The extracted field is place. The specific place I am searching for is "16". Is there a more efficient way to search for a specific place before calling stats? 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2020 11:56 AM
Looks fine to me.
---
If this reply helps you, Karma would be appreciated.
Reply

pred15
Engager
‎07-14-2020 01:06 PM

@richgalloway Is there any more efficient way to do this such as bypassing the field extraction if I am only looking for a singular specific "place"?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2020 02:01 PM

I'm not sure if it's "more efficient", but you could try this search.  Compare this your other one using Job Inspector to see which works best.

| where match(msg.message, "loc=16")| stats count
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...