Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count events with differing strings in same field

guywood13
Path Finder
‎09-24-2021 02:17 AM

So this search...

index="myindex" source="/data/logs/log.json" "Calculation Complete"

... the results return a MessageBody field which has various different strings in.  I need to do the most simple regex in the world (*my string) and then want to count the messages which match that string eventually charting them.  I thought this would work, but it just returns 0 for them all.

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats
| count(eval(MessageBody="*my string")) as My_String
| count(eval(MessageBody="*your string")) as Your_String
| count(eval(MessageBody="*other string")) as Other_String

 Help 🙂

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2021 05:47 AM

There are a few corrections to make here.

1) "*my string" is not a valid regex.  In regular expressions, the "*" character means to repeat the previous character zero or more times - which makes no sense when the "*" is the first character.  If the "*" is intended to be a wildcard then what you have is a pattern rather than a regex.

2) The stats command and its three count functions must be a single command.  Since the pipe character ("|") separates commands, this query has an empty stats command (not allowed) and three count commands (which isn't a thing).

3) The eval function within stats compares strings literally so, in this example, it's checking that the MessageBody field starts with an asterisk and the text "my string".

Try this query

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats count(eval(like(MessageBody, "%my string"))) as My_String,
  count(eval(like(MessageBody, "%your string"))) as Your_String,
  count(eval(like(MessageBody, "%other string"))) as Other_String
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2021 05:47 AM

There are a few corrections to make here.

1) "*my string" is not a valid regex.  In regular expressions, the "*" character means to repeat the previous character zero or more times - which makes no sense when the "*" is the first character.  If the "*" is intended to be a wildcard then what you have is a pattern rather than a regex.

2) The stats command and its three count functions must be a single command.  Since the pipe character ("|") separates commands, this query has an empty stats command (not allowed) and three count commands (which isn't a thing).

3) The eval function within stats compares strings literally so, in this example, it's checking that the MessageBody field starts with an asterisk and the text "my string".

Try this query

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats count(eval(like(MessageBody, "%my string"))) as My_String,
  count(eval(like(MessageBody, "%your string"))) as Your_String,
  count(eval(like(MessageBody, "%other string"))) as Other_String
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

guywood13
Path Finder
‎09-27-2021 02:49 AM

Thank you @richgalloway for the explanation.  Stats look great but it isn't charting properly and I'm not sure why.  Seems to be putting the first count on the X-axis then charting the other two counts.

Preview file
66 KB
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2021 03:28 AM

It _is_ charting properly. It's just the way the chart works. It just does a chart over _rows_ of your data. If you have separate series of data in columns, it charts them alongside. So in your case - since you have all your data in one row, it's a chart of two different variables (Your_String and Other_String) over values of a variable My_String.

That's obviously not what you want, so you should do

| transpose 0

To get your data in a proper aspect.

You might also do some renaming on the resulting fields.

Reply
Solved! Jump to solution

guywood13
Path Finder
‎09-28-2021 08:47 AM

Thanks @PickleRick this did the trick on the chart 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...