Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Grouping by the words in a field

H2ck1ngPr13sT
Loves-to-Learn
‎10-15-2024 05:07 AM

HI,

I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a string. Also I want to count how many of them occured per one day. 

Is this possible?

index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value="*Load Balancer*" OR "*Endpoints*"


Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2024 05:18 AM

Hi @H2ck1ngPr13sT ,

if you want your count for one day, you could use something like this:

index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-1d latest=now
| rename text1.value AS text1_value
| stats 
     count(eval(searchmatch(text1_value,"Load Balancer"))) AS LoadBalancer
     count(eval(searchmatch(text1_value,"Endpoints"))) AS Endpoints

if instead yu want the values for each day in the last 7 days, you could use something like this:

index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-17 latest=now
| rename text1.value AS text1_value
| eval type=if(searchmatch(text1_value,"Load Balancer"),"LoadBalancer", "Endpoints")
| timechart span=1d count BY type

Ciao.

Giuseppe

0 Karma
Reply

H2ck1ngPr13sT
Loves-to-Learn
‎10-15-2024 09:23 AM

Unfortunately, I'm getting error: "Error in 'EvalCommand': The arguments to the 'searchmatch' function are invalid." I've tried both solutions.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-16-2024 12:04 AM

Hi @H2ck1ngPr13sT ,

sorry I confused searchmatch with match, please use match function.

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-15-2024 12:25 PM

Replace searchmatch(text1_value,"Load Balancer") with searchmatch("text1_value=\"*Load Balancer*\""), and so on.  BTW, rename is not needed for searchmatch because it accepts any syntax/shortcut that the search command accepts. (Like search, it also does case-insensitive match.)  For example,

index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-1d latest=now
| stats 
     count(eval(searchmatch("text1.value=\"*Load Balancer*\""))) AS LoadBalancer
     count(eval(searchmatch("text1.value = \"*Endpoints*\""))) AS Endpoints

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...