Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count events with differing strings in same field

guywood13
Path Finder
‎09-24-2021 02:17 AM

So this search...

index="myindex" source="/data/logs/log.json" "Calculation Complete"

... the results return a MessageBody field which has various different strings in.  I need to do the most simple regex in the world (*my string) and then want to count the messages which match that string eventually charting them.  I thought this would work, but it just returns 0 for them all.

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats
| count(eval(MessageBody="*my string")) as My_String
| count(eval(MessageBody="*your string")) as Your_String
| count(eval(MessageBody="*other string")) as Other_String

 Help 🙂

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2021 05:47 AM

There are a few corrections to make here.

1) "*my string" is not a valid regex.  In regular expressions, the "*" character means to repeat the previous character zero or more times - which makes no sense when the "*" is the first character.  If the "*" is intended to be a wildcard then what you have is a pattern rather than a regex.

2) The stats command and its three count functions must be a single command.  Since the pipe character ("|") separates commands, this query has an empty stats command (not allowed) and three count commands (which isn't a thing).

3) The eval function within stats compares strings literally so, in this example, it's checking that the MessageBody field starts with an asterisk and the text "my string".

Try this query

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats count(eval(like(MessageBody, "%my string"))) as My_String,
  count(eval(like(MessageBody, "%your string"))) as Your_String,
  count(eval(like(MessageBody, "%other string"))) as Other_String
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2021 05:47 AM

There are a few corrections to make here.

1) "*my string" is not a valid regex.  In regular expressions, the "*" character means to repeat the previous character zero or more times - which makes no sense when the "*" is the first character.  If the "*" is intended to be a wildcard then what you have is a pattern rather than a regex.

2) The stats command and its three count functions must be a single command.  Since the pipe character ("|") separates commands, this query has an empty stats command (not allowed) and three count commands (which isn't a thing).

3) The eval function within stats compares strings literally so, in this example, it's checking that the MessageBody field starts with an asterisk and the text "my string".

Try this query

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats count(eval(like(MessageBody, "%my string"))) as My_String,
  count(eval(like(MessageBody, "%your string"))) as Your_String,
  count(eval(like(MessageBody, "%other string"))) as Other_String
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

guywood13
Path Finder
‎09-27-2021 02:49 AM

Thank you @richgalloway for the explanation.  Stats look great but it isn't charting properly and I'm not sure why.  Seems to be putting the first count on the X-axis then charting the other two counts.

Preview file
66 KB
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2021 03:28 AM

It _is_ charting properly. It's just the way the chart works. It just does a chart over _rows_ of your data. If you have separate series of data in columns, it charts them alongside. So in your case - since you have all your data in one row, it's a chart of two different variables (Your_String and Other_String) over values of a variable My_String.

That's obviously not what you want, so you should do

| transpose 0

To get your data in a proper aspect.

You might also do some renaming on the resulting fields.

Reply
Solved! Jump to solution

guywood13
Path Finder
‎09-28-2021 08:47 AM

Thanks @PickleRick this did the trick on the chart 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...