Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

FInd multiple keywords in file and show them on a chart

raffaeledifazio
Engager
‎04-22-2013 04:34 AM

I have a CSV file in which I have a column containing timestamps and a column containing text. I want to be albe to look for occurrences of certain keywords (let's say 10 keywords) and to show the number of occurrences of each keyword on a chart. It would also be good to find a display them over time. What I do not understand is how to search for multiple keywords on this strings while counting the occurrences... can you help me?

Example file (where timestamp represent the day):

TIMESTAMP;TEXT_STRING
20;The quick brown fox jumps over the lazy dog

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-22-2013 05:03 AM

Assuming that you have a csv file with headers (e.g. timestamp and string), you could use the inputlookup feature to load the file as search results. 

| inputlookup file.csv 
| rex field=string "(?<word>\S+)" max_match=0 
| mvexpand word 
| table timestamp word 
| search word=xxx OR word=yyy OR word=zzz 
| top 10 word

Add more words in the 'search' statement above. The last statement can be changed for 

| chart count over timestamp by word

There are probably more than one way to do this, and probably more efficient than this.

/K

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-22-2013 05:03 AM

Assuming that you have a csv file with headers (e.g. timestamp and string), you could use the inputlookup feature to load the file as search results. 

| inputlookup file.csv 
| rex field=string "(?<word>\S+)" max_match=0 
| mvexpand word 
| table timestamp word 
| search word=xxx OR word=yyy OR word=zzz 
| top 10 word

Add more words in the 'search' statement above. The last statement can be changed for 

| chart count over timestamp by word

There are probably more than one way to do this, and probably more efficient than this.

/K

Reply
Solved! Jump to solution

raffaeledifazio
Engager
‎04-22-2013 05:52 AM

Thanks, this helps a lot.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...