Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Counting Particular Characters Within a Field

henryt1
Path Finder
‎12-04-2012 09:03 AM

Hello,

I need to put together a report that involves counting certain characters in a field within Splunk. For instance, my query looks like "... | stats count by q". What I'm returned with the field "q" might look like either of the following:

(summary:(superhydrophob*%20OR%20superoleophob*))%20AND%20(summary:(fabric%20OR%20hair%20OR%20skin))%20AND%20(publicationdate:[2007%20TO%202012])

%28summary%3A%28machine%20AND%20learning%20AND%20error%29%29%20AND%20%28publicationdate%3A%5B2007%20TO%202012%5D%29%20AND%20%28country%3AUS%29

Within those two results I'm interested in how many total colons there are, so because of HTML encoding I would be interested in both ":" as well as "%3A". So the total amount of characters with these two results that I would like to get back would be 6.

Is there anyway I could do this within Splunk? Right now I have to export and use Excel, which is extremely time consuming. Any help would be greatly appreciated, thanks in advance.

-Tyler

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎10-17-2013 07:04 AM

..| eval bar = urldecode(q) | eval colCount=mvcount(split(bar,":"))-1 | stats count by q colCount | eventstats sum(colCount) as TotalColons

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2012 09:36 AM

Rex and eval might be able to help in this case. My approach first decodes the q field, so you only have to work with one format of colon. Then, you can count the number of matches for a single colon.

Try this:

your_search | eval dq = urldecode(q)|rex max_match=100 field=dq "(?<colons>:)"|stats count(colons) as "Number of Total colons" by dq

0 Karma
Reply

henryt1
Path Finder
‎12-04-2012 11:27 AM

It looks like it's still seeing the whole "q" field but the count is pretty far off.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2012 10:24 AM

How far off was it? and the count is per distinct url. If you just want total, then do "count(colons)". You can also try setting max_match to 0, which means unlimited. But I'm not sure if you have more than 100 colons in a line or not.
I did notice that because you have "%20" (a space), the q did not extract properly on my test. So for the colons it sees, it sees the right number, but doesn't get the whole q because of the space.

0 Karma
Reply

henryt1
Path Finder
‎12-04-2012 10:09 AM

This didn't see to work. It gave me a separate column for the colons, but the count wasn't correct.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎12-04-2012 09:22 AM

This should help.

http://splunk-base.splunk.com/answers/28276/count-of-character-in-field

Details on the functions of eval here:

http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/CommonEvalFunctions

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...