Splunk Search

How do I count occurrences with wildcard in count by field?

mhornste
Path Finder

Hi,

I have the following values from my search result:

/api/v2/nodes/107757943/nodes 
/api/v2/nodes/107758003/nodes 
/api/v2/nodes/107823072/nodes 
/api/v2/nodes/107823076/nodes 
/api/v2/nodes/11245276/nodes 
/api/v2/nodes/11245277/nodes 
/api/v2/nodes/11252545/nodes 
/api/v2/nodes/11261495/nodes 
/api/v2/nodes/11262557/nodes  
/api/v2/nodes/11265162/nodes 
/api/v2/nodes/11345880/nodes 

What I need is a count of these occurrences ignoring the number between the "nodes". The number represents a folder which is browsed.

I used the following query for the above result:

index=otcs host=hostname sourcetype=Timings FunctionAction=api
Arguments="/api/v2/nodes/*/nodes" 

I'm using a wildcard to show all results of the condition above no matter which number is there.

Is it possible to do a stats count by with a wildcard condition (Arguments="/api/v2/nodes/*/nodes" )?

Tags (3)
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@mhornste,
If you have only these events in the result, then you can simply do a |stats count

OR

if you have other events and you only want the events which has /api/v2/nodes then
Either extract the common field and count it

|eval my_string=substr(Arguments,0,14)|stats count by my_string

OR
Replace the folder number with a common letter/word

|replace "/api/v2/nodes/*/nodes" with "/api/v2/nodes/Aestricks/nodes" in Arguments
|stats count by Arguments

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@mhornste,
If you have only these events in the result, then you can simply do a |stats count

OR

if you have other events and you only want the events which has /api/v2/nodes then
Either extract the common field and count it

|eval my_string=substr(Arguments,0,14)|stats count by my_string

OR
Replace the folder number with a common letter/word

|replace "/api/v2/nodes/*/nodes" with "/api/v2/nodes/Aestricks/nodes" in Arguments
|stats count by Arguments

View solution in original post

mhornste
Path Finder

thanks, the replace works great!

0 Karma

afroz
Path Finder

Hi,
index=otcs host=hostname sourcetype=Timings FunctionAction=api
Arguments="/api/v2/nodes/*/nodes"
|stats count(Arguments) by Arguments

0 Karma

mhornste
Path Finder

Hi,

thanks. That returns a count of each distinct field value. I need a count of all occurences no matter which ID is within the Arguments string.,Hi,

thank you, unfortunately, this does not ignore the ID in the middle of Arguments. I just need a count of all occurrences no matter what ID is in there.

0 Karma