Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count events with differing strings in same field

guywood13
Path Finder
‎09-24-2021 02:17 AM

So this search...

index="myindex" source="/data/logs/log.json" "Calculation Complete"

... the results return a MessageBody field which has various different strings in.  I need to do the most simple regex in the world (*my string) and then want to count the messages which match that string eventually charting them.  I thought this would work, but it just returns 0 for them all.

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats
| count(eval(MessageBody="*my string")) as My_String
| count(eval(MessageBody="*your string")) as Your_String
| count(eval(MessageBody="*other string")) as Other_String

 Help 🙂

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2021 05:47 AM

There are a few corrections to make here.

1) "*my string" is not a valid regex.  In regular expressions, the "*" character means to repeat the previous character zero or more times - which makes no sense when the "*" is the first character.  If the "*" is intended to be a wildcard then what you have is a pattern rather than a regex.

2) The stats command and its three count functions must be a single command.  Since the pipe character ("|") separates commands, this query has an empty stats command (not allowed) and three count commands (which isn't a thing).

3) The eval function within stats compares strings literally so, in this example, it's checking that the MessageBody field starts with an asterisk and the text "my string".

Try this query

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats count(eval(like(MessageBody, "%my string"))) as My_String,
  count(eval(like(MessageBody, "%your string"))) as Your_String,
  count(eval(like(MessageBody, "%other string"))) as Other_String
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2021 05:47 AM

There are a few corrections to make here.

1) "*my string" is not a valid regex.  In regular expressions, the "*" character means to repeat the previous character zero or more times - which makes no sense when the "*" is the first character.  If the "*" is intended to be a wildcard then what you have is a pattern rather than a regex.

2) The stats command and its three count functions must be a single command.  Since the pipe character ("|") separates commands, this query has an empty stats command (not allowed) and three count commands (which isn't a thing).

3) The eval function within stats compares strings literally so, in this example, it's checking that the MessageBody field starts with an asterisk and the text "my string".

Try this query

index="myindex" source="/data/logs/log.json" "Calculation Complete"
| stats count(eval(like(MessageBody, "%my string"))) as My_String,
  count(eval(like(MessageBody, "%your string"))) as Your_String,
  count(eval(like(MessageBody, "%other string"))) as Other_String
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

guywood13
Path Finder
‎09-27-2021 02:49 AM

Thank you @richgalloway for the explanation.  Stats look great but it isn't charting properly and I'm not sure why.  Seems to be putting the first count on the X-axis then charting the other two counts.

splunk_chart1.jpg
Preview file
66 KB
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2021 03:28 AM

It _is_ charting properly. It's just the way the chart works. It just does a chart over _rows_ of your data. If you have separate series of data in columns, it charts them alongside. So in your case - since you have all your data in one row, it's a chart of two different variables (Your_String and Other_String) over values of a variable My_String.

That's obviously not what you want, so you should do

| transpose 0

To get your data in a proper aspect.

You might also do some renaming on the resulting fields.

Reply
Solved! Jump to solution

guywood13
Path Finder
‎09-28-2021 08:47 AM

Thanks @PickleRick this did the trick on the chart 🙂

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...
Top