Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count by grouping on a string in the results?

Kyle_Brandt
Path Finder
‎02-01-2011 06:03 PM

I have a bunch of log entries that all come from the same host as far as Splunk is concerned, but contain the name of the host in log entry. Long term I might want to look into associating these entries with the host, but for the time being I would just like get the count of these entries per host as describe in the log entry.

So for example, if 'foo' brings up all the entries. And each entry contains something like 'arf=baz1' or 'arf=baz2', how do I get how many of the results are for baz1, how many are for baz2, etc?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-01-2011 06:10 PM

So, in the log you already have

somekey=baz1

? In that case Splunk will already have extracted field "somekey" so you can just make a search like:

<your search terms....> | stats count by somekey

Else, the short way is to use the interactive field extractor: pop in the basic search, then from the small triangle on the left of each result select "Extract fields". Provide some examples and test if the results match what you've expected. If not, trick a bit with the regular expression. Than save the field and run the forementioned search.

But in the end, I strongly suggest you to tweak with props.conf and transforms.conf to get your hosts correct from the very beginning. Here's the guide you might be interested into.

View solution in original post

Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎02-01-2011 06:10 PM

So, in the log you already have

somekey=baz1

? In that case Splunk will already have extracted field "somekey" so you can just make a search like:

<your search terms....> | stats count by somekey

Else, the short way is to use the interactive field extractor: pop in the basic search, then from the small triangle on the left of each result select "Extract fields". Provide some examples and test if the results match what you've expected. If not, trick a bit with the regular expression. Than save the field and run the forementioned search.

But in the end, I strongly suggest you to tweak with props.conf and transforms.conf to get your hosts correct from the very beginning. Here's the guide you might be interested into.

Reply
Solved! Jump to solution

Kyle_Brandt
Path Finder
‎02-01-2011 06:27 PM

Oh sorry I get it now. Extract the field the way you said, call it something else like "log_entry_host" and then stats count by log_entry_host

0 Karma
Reply
Solved! Jump to solution

Kyle_Brandt
Path Finder
‎02-01-2011 06:21 PM

but since somekey=baz1 in this case happens to be 'host' is there anyway I can tell it to use the actual text in the results with the count by syntax?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...