Splunk Search

Count events with differing strings in same field

guywood13
Path Finder

So this search...

index="myindex" source="/data/logs/log.json" "Calculation Complete"

... the results return a MessageBody field which has various different strings in.  I need to do the most simple regex in the world (*my string) and then want to count the messages which match that string eventually charting them.  I thought this would work, but it just returns 0 for them all.

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats
| count(eval(MessageBody="*my string")) as My_String
| count(eval(MessageBody="*your string")) as Your_String
| count(eval(MessageBody="*other string")) as Other_String

 Help 🙂

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There are a few corrections to make here.

1) "*my string" is not a valid regex.  In regular expressions, the "*" character means to repeat the previous character zero or more times - which makes no sense when the "*" is the first character.  If the "*" is intended to be a wildcard then what you have is a pattern rather than a regex.

2) The stats command and its three count functions must be a single command.  Since the pipe character ("|") separates commands, this query has an empty stats command (not allowed) and three count commands (which isn't a thing).

3) The eval function within stats compares strings literally so, in this example, it's checking that the MessageBody field starts with an asterisk and the text "my string".

Try this query

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats count(eval(like(MessageBody, "%my string"))) as My_String,
  count(eval(like(MessageBody, "%your string"))) as Your_String,
  count(eval(like(MessageBody, "%other string"))) as Other_String
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

There are a few corrections to make here.

1) "*my string" is not a valid regex.  In regular expressions, the "*" character means to repeat the previous character zero or more times - which makes no sense when the "*" is the first character.  If the "*" is intended to be a wildcard then what you have is a pattern rather than a regex.

2) The stats command and its three count functions must be a single command.  Since the pipe character ("|") separates commands, this query has an empty stats command (not allowed) and three count commands (which isn't a thing).

3) The eval function within stats compares strings literally so, in this example, it's checking that the MessageBody field starts with an asterisk and the text "my string".

Try this query

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats count(eval(like(MessageBody, "%my string"))) as My_String,
  count(eval(like(MessageBody, "%your string"))) as Your_String,
  count(eval(like(MessageBody, "%other string"))) as Other_String
---
If this reply helps you, Karma would be appreciated.

guywood13
Path Finder

Thank you @richgalloway for the explanation.  Stats look great but it isn't charting properly and I'm not sure why.  Seems to be putting the first count on the X-axis then charting the other two counts.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It _is_ charting properly. It's just the way the chart works. It just does a chart over _rows_ of your data. If you have separate series of data in columns, it charts them alongside. So in your case - since you have all your data in one row, it's a chart of two different variables (Your_String and Other_String) over values of a variable My_String.

That's obviously not what you want, so you should do

| transpose 0

To get your data in a proper aspect.

You might also do some renaming on the resulting fields.

guywood13
Path Finder

Thanks @PickleRick this did the trick on the chart 🙂

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...