Solved: Count of occurence of string

aditya22 · ‎04-28-2020

Hi,

I am trying to get the occurence of two strings for every 3 minute interval.Tried this.

index=xyz host="hostname" "rapidViewId=" OR "/user/mention" | timechart span=3m count(eval(match(_raw,"rapidViewId="))) AS board, count(eval(match(_raw,"/user/mention"))) AS mention

I am getting the result in intended format.But on checking the events for eg:rapidViewId= I can see the events are mix of both(rapidViewId and /user/mention).

Any idea what i am doing wrong?.I need individual count in every 3 minutes.

DavidHourani · ‎04-28-2020

Hi @aditya22,

Try the following search :

index=xyz host="hostname" "rapidViewId=" OR "/user/mention" 
| eval chartingField=case(match(_raw,"rapidViewId="),"board", match(_raw,"/user/mention"), "mention")
| timechart span=3m count by chartingField

Cheers,
David

View solution in original post

DavidHourani · ‎04-28-2020

Hi @aditya22,

Try the following search :

index=xyz host="hostname" "rapidViewId=" OR "/user/mention" 
| eval chartingField=case(match(_raw,"rapidViewId="),"board", match(_raw,"/user/mention"), "mention")
| timechart span=3m count by chartingField

Cheers,
David

Count of occurence of string

eval

timechart

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?