Solved: How do I get an accurate count for a field that ha...

vinay4444 · ‎10-13-2015

Hi

We have field that has data in different formats (having values in [] but other simply name) e.g.

itemkey = ms.db.cpu_usage_percent[WL_DBA]
itemkey = ms.db.locks_count

I use the search below to get distinct metrics name stripping out workload [WL_DBA] but it does not count metrics without [] like ms.db.locks_count how do I get counts of both together?

index=xxxx sourcetype="xxx" value >= 0.000 | rex field=itemKey (?<metric>.)[(?<space>.)] | dedup metric | stats count(metric)

somesoni2 · ‎10-13-2015

Try something like this

index=xxxx sourcetype="xxx" value >= 0.000 | rex field=itemKey "(?<metric>[^\[]*)" | dedup metric | stats count(metric)

OR

  index=xxxx sourcetype="xxx" value >= 0.000 | eval metric=replace(itemKey,"(.*)\[.*\]","\1") | stats dc(metric)

View solution in original post

somesoni2 · ‎10-13-2015

Try something like this

index=xxxx sourcetype="xxx" value >= 0.000 | rex field=itemKey "(?<metric>[^\[]*)" | dedup metric | stats count(metric)

OR

  index=xxxx sourcetype="xxx" value >= 0.000 | eval metric=replace(itemKey,"(.*)\[.*\]","\1") | stats dc(metric)

How do I get an accurate count for a field that has values in different formats?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How do I get an accurate count for a field that has values in different formats?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases