Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I rename and extract multiple data from a search?

virgilg
Explorer
‎09-30-2016 10:34 AM

I have log lines of the form (relevant excerpt only, they contain also hostname, timestamp, etc):

data_name: A B C D E
data_name: A
data_name: A C D

basically, data_name is a collection of strings in a set that may or may not be present for a particular log line.

I want to extract several things:
1) the entries that have A
2) the entries that have A but not C in the same line
3) all possible entries

and display their count (and e.g. hostname) in a chart.

I've tried:

( data_name AND A ) OR ( data_name AND A NOT B ) | dedup host

but this gives me results that are not distinguishable. How can I rename the first predicate (left of OR) so I can apply a "count" to it, and do the same for the second predicate (right of OR) and the third, and the fourth, etc.
Is this the right approach?

0 Karma
Reply

sundareshr
Legend
‎09-30-2016 11:41 AM

Try this (you will need to adjust the regex)

base search | rex "data_name\:\s(?<data_name>.*) | eval OnlyA=if(match(data_name, "\bA\b"), 1, 0) | eval A_No_C=if(match(data_name, "\bA\b" AND NOT match(data_name, "\bC\b"), 1, 0) | stats count sum(OnlyA) as OnlyA sum(A_No_C) as A_No_C
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...