Solved: How do I get an accurate count for a field that ha...

vinay4444 · ‎10-13-2015

Hi

We have field that has data in different formats (having values in [] but other simply name) e.g.

itemkey = ms.db.cpu_usage_percent[WL_DBA]
itemkey = ms.db.locks_count

I use the search below to get distinct metrics name stripping out workload [WL_DBA] but it does not count metrics without [] like ms.db.locks_count how do I get counts of both together?

index=xxxx sourcetype="xxx" value >= 0.000 | rex field=itemKey (?<metric>.)[(?<space>.)] | dedup metric | stats count(metric)

somesoni2 · ‎10-13-2015

Try something like this

index=xxxx sourcetype="xxx" value >= 0.000 | rex field=itemKey "(?<metric>[^\[]*)" | dedup metric | stats count(metric)

OR

  index=xxxx sourcetype="xxx" value >= 0.000 | eval metric=replace(itemKey,"(.*)\[.*\]","\1") | stats dc(metric)

View solution in original post

somesoni2 · ‎10-13-2015

Try something like this

index=xxxx sourcetype="xxx" value >= 0.000 | rex field=itemKey "(?<metric>[^\[]*)" | dedup metric | stats count(metric)

OR

  index=xxxx sourcetype="xxx" value >= 0.000 | eval metric=replace(itemKey,"(.*)\[.*\]","\1") | stats dc(metric)

How do I get an accurate count for a field that has values in different formats?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience