Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Counting Particular Characters Within a Field

henryt1
Path Finder
‎12-04-2012 09:03 AM

Hello,

I need to put together a report that involves counting certain characters in a field within Splunk. For instance, my query looks like "... | stats count by q". What I'm returned with the field "q" might look like either of the following:

(summary:(superhydrophob*%20OR%20superoleophob*))%20AND%20(summary:(fabric%20OR%20hair%20OR%20skin))%20AND%20(publicationdate:[2007%20TO%202012])

%28summary%3A%28machine%20AND%20learning%20AND%20error%29%29%20AND%20%28publicationdate%3A%5B2007%20TO%202012%5D%29%20AND%20%28country%3AUS%29

Within those two results I'm interested in how many total colons there are, so because of HTML encoding I would be interested in both ":" as well as "%3A". So the total amount of characters with these two results that I would like to get back would be 6.

Is there anyway I could do this within Splunk? Right now I have to export and use Excel, which is extremely time consuming. Any help would be greatly appreciated, thanks in advance.

-Tyler

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎10-17-2013 07:04 AM

..| eval bar = urldecode(q) | eval colCount=mvcount(split(bar,":"))-1 | stats count by q colCount | eventstats sum(colCount) as TotalColons

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2012 09:36 AM

Rex and eval might be able to help in this case. My approach first decodes the q field, so you only have to work with one format of colon. Then, you can count the number of matches for a single colon.

Try this:

your_search | eval dq = urldecode(q)|rex max_match=100 field=dq "(?<colons>:)"|stats count(colons) as "Number of Total colons" by dq

0 Karma
Reply

henryt1
Path Finder
‎12-04-2012 11:27 AM

It looks like it's still seeing the whole "q" field but the count is pretty far off.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2012 10:24 AM

How far off was it? and the count is per distinct url. If you just want total, then do "count(colons)". You can also try setting max_match to 0, which means unlimited. But I'm not sure if you have more than 100 colons in a line or not.
I did notice that because you have "%20" (a space), the q did not extract properly on my test. So for the colons it sees, it sees the right number, but doesn't get the whole q because of the space.

0 Karma
Reply

henryt1
Path Finder
‎12-04-2012 10:09 AM

This didn't see to work. It gave me a separate column for the colons, but the count wasn't correct.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎12-04-2012 09:22 AM

This should help.

http://splunk-base.splunk.com/answers/28276/count-of-character-in-field

Details on the functions of eval here:

http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/CommonEvalFunctions

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...