Re: How can I group results based on fixed String ...

wandi · ‎03-22-2012

bla xx bla Call Return: [20001TNSN NONONOONONO]

bla y bla Call Return: [20001TNSN NONONOONONO]

bla zzz bla Call Return: [40401FNSN NONONOONONO]

bla kk bla Call Return: [20001TNSN NONONOONONO]

bla y bla Call Return: [20001FNSN NONONOONONO]

A) first I like to count how many "T" and how many "F" I have. F or T are always the 6th position after "Call Return: [" sequence.

B) Is it possible also group the results for the three first numbers after the "Call Return: [" sequence? eg:

I like as a final result a graph with something like:

"200 F" => 1

"200 T" => 3

"404 F" => 1

wandi · ‎03-23-2012

wow!! I´m love with Splunk.

Thank you Damien.

Damien_Dallimor · ‎03-23-2012

We love you too 🙂

Damien_Dallimor · ‎03-22-2012

Try something like :

... | rex field=_raw "^.+Call\sReturn:\s+\[(?<sequence>\d{3})\d{2}(?<letter_code>[TF])" | stats count by sequence letter_code

How can I group results based on fixed String positions

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How can I group results based on fixed String positions

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!