Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count by grouping on a string in the results?

Kyle_Brandt
Path Finder
‎02-01-2011 06:03 PM

I have a bunch of log entries that all come from the same host as far as Splunk is concerned, but contain the name of the host in log entry. Long term I might want to look into associating these entries with the host, but for the time being I would just like get the count of these entries per host as describe in the log entry.

So for example, if 'foo' brings up all the entries. And each entry contains something like 'arf=baz1' or 'arf=baz2', how do I get how many of the results are for baz1, how many are for baz2, etc?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-01-2011 06:10 PM

So, in the log you already have

somekey=baz1

? In that case Splunk will already have extracted field "somekey" so you can just make a search like:

<your search terms....> | stats count by somekey

Else, the short way is to use the interactive field extractor: pop in the basic search, then from the small triangle on the left of each result select "Extract fields". Provide some examples and test if the results match what you've expected. If not, trick a bit with the regular expression. Than save the field and run the forementioned search.

But in the end, I strongly suggest you to tweak with props.conf and transforms.conf to get your hosts correct from the very beginning. Here's the guide you might be interested into.

View solution in original post

Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-01-2011 06:10 PM

So, in the log you already have

somekey=baz1

? In that case Splunk will already have extracted field "somekey" so you can just make a search like:

<your search terms....> | stats count by somekey

Else, the short way is to use the interactive field extractor: pop in the basic search, then from the small triangle on the left of each result select "Extract fields". Provide some examples and test if the results match what you've expected. If not, trick a bit with the regular expression. Than save the field and run the forementioned search.

But in the end, I strongly suggest you to tweak with props.conf and transforms.conf to get your hosts correct from the very beginning. Here's the guide you might be interested into.

Reply
Solved! Jump to solution

Kyle_Brandt
Path Finder
‎02-01-2011 06:27 PM

Oh sorry I get it now. Extract the field the way you said, call it something else like "log_entry_host" and then stats count by log_entry_host

0 Karma
Reply
Solved! Jump to solution

Kyle_Brandt
Path Finder
‎02-01-2011 06:21 PM

but since somekey=baz1 in this case happens to be 'host' is there anyway I can tell it to use the actual text in the results with the count by syntax?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...