Solved: Count of occurence of string

aditya22 · ‎04-28-2020

Hi,

I am trying to get the occurence of two strings for every 3 minute interval.Tried this.

index=xyz host="hostname" "rapidViewId=" OR "/user/mention" | timechart span=3m count(eval(match(_raw,"rapidViewId="))) AS board, count(eval(match(_raw,"/user/mention"))) AS mention

I am getting the result in intended format.But on checking the events for eg:rapidViewId= I can see the events are mix of both(rapidViewId and /user/mention).

Any idea what i am doing wrong?.I need individual count in every 3 minutes.

DavidHourani · ‎04-28-2020

Hi @aditya22,

Try the following search :

index=xyz host="hostname" "rapidViewId=" OR "/user/mention" 
| eval chartingField=case(match(_raw,"rapidViewId="),"board", match(_raw,"/user/mention"), "mention")
| timechart span=3m count by chartingField

Cheers,
David

View solution in original post

DavidHourani · ‎04-28-2020

Hi @aditya22,

Try the following search :

index=xyz host="hostname" "rapidViewId=" OR "/user/mention" 
| eval chartingField=case(match(_raw,"rapidViewId="),"board", match(_raw,"/user/mention"), "mention")
| timechart span=3m count by chartingField

Cheers,
David

Count of occurence of string

eval

timechart

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms