Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count by grouping on a string in the results?

Kyle_Brandt
Path Finder
‎02-01-2011 06:03 PM

I have a bunch of log entries that all come from the same host as far as Splunk is concerned, but contain the name of the host in log entry. Long term I might want to look into associating these entries with the host, but for the time being I would just like get the count of these entries per host as describe in the log entry.

So for example, if 'foo' brings up all the entries. And each entry contains something like 'arf=baz1' or 'arf=baz2', how do I get how many of the results are for baz1, how many are for baz2, etc?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-01-2011 06:10 PM

So, in the log you already have

somekey=baz1

? In that case Splunk will already have extracted field "somekey" so you can just make a search like:

<your search terms....> | stats count by somekey

Else, the short way is to use the interactive field extractor: pop in the basic search, then from the small triangle on the left of each result select "Extract fields". Provide some examples and test if the results match what you've expected. If not, trick a bit with the regular expression. Than save the field and run the forementioned search.

But in the end, I strongly suggest you to tweak with props.conf and transforms.conf to get your hosts correct from the very beginning. Here's the guide you might be interested into.

View solution in original post

Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-01-2011 06:10 PM

So, in the log you already have

somekey=baz1

? In that case Splunk will already have extracted field "somekey" so you can just make a search like:

<your search terms....> | stats count by somekey

Else, the short way is to use the interactive field extractor: pop in the basic search, then from the small triangle on the left of each result select "Extract fields". Provide some examples and test if the results match what you've expected. If not, trick a bit with the regular expression. Than save the field and run the forementioned search.

But in the end, I strongly suggest you to tweak with props.conf and transforms.conf to get your hosts correct from the very beginning. Here's the guide you might be interested into.

Reply
Solved! Jump to solution

Kyle_Brandt
Path Finder
‎02-01-2011 06:27 PM

Oh sorry I get it now. Extract the field the way you said, call it something else like "log_entry_host" and then stats count by log_entry_host

0 Karma
Reply
Solved! Jump to solution

Kyle_Brandt
Path Finder
‎02-01-2011 06:21 PM

but since somekey=baz1 in this case happens to be 'host' is there anyway I can tell it to use the actual text in the results with the count by syntax?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...