Re: extract count of search field(SPL) by re-searc...

syloee · ‎10-31-2022

hello

index=_audit user=admin action=search info=granted search=* | table search_id search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search

I extracted the following result with this command.

search_id search
[ID1] [SPL1]
[ID2] [SPL2]
[ID3] [SPL3]

I want to extract count of search field by re-search.

search_id search count
[ID1] [SPL1] [SPL1-count]
[ID2] [SPL2] [SPL2-count]
[ID3] [SPL3] [SPL3-count]

I'd appreciate it if you could help me.

gcusello · ‎11-01-2022

Hi @syloee,

is it mandatory for you to have the ID_Search?

because every search has a different id so the count will always be 1.

if you want to know how many times a search was executed you could use:

index=_audit user=admin action=search info=granted search=* 
| stats count BY search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search
| sort -count

Ciao.

Giuseppe

gcusello · ‎10-31-2022

Hi @syloee,

let me understand: do you want to know the count of searches?

if this is your need, you could use stats instead table:

index=_audit user=admin action=search info=granted search=* 
| stats count BY search_id search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search

Ciao.

Giuseppe

syloee · ‎11-01-2022

EX>

search_id search count
[ID1] index=_internal sourcetype=splunkd 10 ( count of index=_internal sourcetype=splunkd)
[ID2] index=_internal sourcetype=splunk* 100( count of index=_internal sourcetype=splunk*)

NOT _audit log result_count, by re-search

I'd appreciate it if you could help me.

Extract count of search field(SPL) by re-search?

count

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life