Re: How can I group results based on fixed String ...

wandi · ‎03-22-2012

bla xx bla Call Return: [20001TNSN NONONOONONO]

bla y bla Call Return: [20001TNSN NONONOONONO]

bla zzz bla Call Return: [40401FNSN NONONOONONO]

bla kk bla Call Return: [20001TNSN NONONOONONO]

bla y bla Call Return: [20001FNSN NONONOONONO]

A) first I like to count how many "T" and how many "F" I have. F or T are always the 6th position after "Call Return: [" sequence.

B) Is it possible also group the results for the three first numbers after the "Call Return: [" sequence? eg:

I like as a final result a graph with something like:

"200 F" => 1

"200 T" => 3

"404 F" => 1

wandi · ‎03-23-2012

wow!! I´m love with Splunk.

Thank you Damien.

Damien_Dallimor · ‎03-23-2012

We love you too 🙂

Damien_Dallimor · ‎03-22-2012

Try something like :

... | rex field=_raw "^.+Call\sReturn:\s+\[(?<sequence>\d{3})\d{2}(?<letter_code>[TF])" | stats count by sequence letter_code

How can I group results based on fixed String positions

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation