Find the most common individual characters in a fi...

suspicious_link · ‎01-13-2021

Hi longtime splunker, first time poster

so my goal here is to find the most common and uncommon characters in a field across multiple events.

event1: commandline="the quick brown fox"

event2: commandline="jumped over the lazy dog"

the search i've tried

index=data | fields command_line | rex field=command_line "(?<cmd_char>.)" | top cmd_char

this rex only pulls the first char from the field and would want to pull numbers from the whole commandline

results from top (or whatever function):

char (with " cause spaces would be hard to see here) | count

" " | 7

"e" | 3

"t" | 2

"u" | 2

"h" | 1

"q" | 1

bowesmana · ‎01-13-2021

You want the max_match parameter to rex

| makeresults 
| eval commandline=split("the quick brown fox :jumped over the lazy dog",":")
| mvexpand commandline
| rex field=commandline max_match=0 "(?<cmd_char>.)" 
| top cmd_char

Hope this helps

Find the most common individual characters in a field

field extraction

regex

rex

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Data Persistence in the OpenTelemetry Collector

Thanks for the Memories! Splunk University, .conf25, and our Community

Are you a member of the Splunk Community?