- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I count occurrences with wildcard in co...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have the following values from my search result:
/api/v2/nodes/107757943/nodes
/api/v2/nodes/107758003/nodes
/api/v2/nodes/107823072/nodes
/api/v2/nodes/107823076/nodes
/api/v2/nodes/11245276/nodes
/api/v2/nodes/11245277/nodes
/api/v2/nodes/11252545/nodes
/api/v2/nodes/11261495/nodes
/api/v2/nodes/11262557/nodes
/api/v2/nodes/11265162/nodes
/api/v2/nodes/11345880/nodes
What I need is a count of these occurrences ignoring the number between the "nodes". The number represents a folder which is browsed.
I used the following query for the above result:
index=otcs host=hostname sourcetype=Timings FunctionAction=api
Arguments="/api/v2/nodes/*/nodes"
I'm using a wildcard to show all results of the condition above no matter which number is there.
Is it possible to do a stats count by with a wildcard condition (Arguments="/api/v2/nodes/*/nodes" )?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mhornste,
If you have only these events in the result, then you can simply do a |stats count
OR
if you have other events and you only want the events which has /api/v2/nodes then
Either extract the common field and count it
|eval my_string=substr(Arguments,0,14)|stats count by my_string
OR
Replace the folder number with a common letter/word
|replace "/api/v2/nodes/*/nodes" with "/api/v2/nodes/Aestricks/nodes" in Arguments
|stats count by Arguments
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mhornste,
If you have only these events in the result, then you can simply do a |stats count
OR
if you have other events and you only want the events which has /api/v2/nodes then
Either extract the common field and count it
|eval my_string=substr(Arguments,0,14)|stats count by my_string
OR
Replace the folder number with a common letter/word
|replace "/api/v2/nodes/*/nodes" with "/api/v2/nodes/Aestricks/nodes" in Arguments
|stats count by Arguments
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, the replace works great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
index=otcs host=hostname sourcetype=Timings FunctionAction=api
Arguments="/api/v2/nodes/*/nodes"
|stats count(Arguments) by Arguments
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks. That returns a count of each distinct field value. I need a count of all occurences no matter which ID is within the Arguments string.,Hi,
thank you, unfortunately, this does not ignore the ID in the middle of Arguments. I just need a count of all occurrences no matter what ID is in there.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
