How do I rename and extract multiple data from a s...

virgilg · ‎09-30-2016

I have log lines of the form (relevant excerpt only, they contain also hostname, timestamp, etc):

data_name: A B C D E
data_name: A
data_name: A C D

basically, data_name is a collection of strings in a set that may or may not be present for a particular log line.

I want to extract several things:
1) the entries that have A
2) the entries that have A but not C in the same line
3) all possible entries

and display their count (and e.g. hostname) in a chart.

I've tried:

( data_name AND A ) OR ( data_name AND A NOT B ) | dedup host

but this gives me results that are not distinguishable. How can I rename the first predicate (left of OR) so I can apply a "count" to it, and do the same for the second predicate (right of OR) and the third, and the fourth, etc.
Is this the right approach?

sundareshr · ‎09-30-2016

Try this (you will need to adjust the regex)

base search | rex "data_name\:\s(?<data_name>.*) | eval OnlyA=if(match(data_name, "\bA\b"), 1, 0) | eval A_No_C=if(match(data_name, "\bA\b" AND NOT match(data_name, "\bC\b"), 1, 0) | stats count sum(OnlyA) as OnlyA sum(A_No_C) as A_No_C

How do I rename and extract multiple data from a search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation