Splunk Search

Count based on wildcard in search

anrak33
Explorer

I am running a search like 

index="main" app="student-api" "path"="/v1/enroll" 

And in the events (when I select Raw) I see this type of output

{
"application":"student-api",
"environment":"prod",
"timestamp":"2023-02-23T08:24:23.163Z",
"traceId":"2a2e3980-e61b-4927-b270-1785569d5af8",
"response":{
"statusCode":"200",
},
"request":{
"protocol":"HTTP/1.1",
"method":"POST",
"path":"/v1/enroll",
"headers":{
"Accept-Encoding":[
"gzip"
],
"Accept-Language":[
"en_US"
],
"Content-Type":[
"application/json; charset=UTF-8"
],
"Experiments":[
"{\"n\":\"first_enroll\",\"p\":\"BACKEND_SERVICE\",\"v\":\"FIRST\"},{\"n\":\"ttl_ios\",\"p\":\"BACKEND_SERVICE\",\"v\":\"default\"}]}"
],
"TraceId":[
"2a2e3980-e61b-4927-b270-1785569d5af8"
]
},
"cookies":"",
"body":""
},
"duration":115
}

 Now, I am trying to generate count based on how many of the ttl_ios has value = default ({\"n\":\"ttl_ios\",\"p\":\"BACKEND_SERVICE\",\"v\":\"default\"}] is where it is default)  vs non-default - so the result should look like say - 
variant               count
default                10
non-default        3

(default and non-default are the only 2 values it can have)
Appreciate your help on this. Thanks

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 "ttl_ios\\\\\",\\\\\"p\\\\\":\\\\\"\w+\\\\\",\\\\\"v\\\\\":\\\\\"(?<ttl_ios>[^\"]+)\\\\\""
| stats count by ttl_ios

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 "ttl_ios\\\\\",\\\\\"p\\\\\":\\\\\"\w+\\\\\",\\\\\"v\\\\\":\\\\\"(?<ttl_ios>[^\"]+)\\\\\""
| stats count by ttl_ios
0 Karma

anrak33
Explorer

thanks @ITWhisperer  - that worked 

one q - what if the data format changed? aka it looked like 

{\"n\":\"ttl_ios\",\"v\":\"default\",\"p\":\"BACKEND_SERVICE\"}]}
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you do it like this, it would cope with either situation.

| rex max_match=0 "ttl_ios\\\\\",.*?\\\\\"v\\\\\":\\\\\"(?<ttl_ios>[^\"]+)\\\\\""
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...