How do I rename and extract multiple data from a s...

virgilg · ‎09-30-2016

I have log lines of the form (relevant excerpt only, they contain also hostname, timestamp, etc):

data_name: A B C D E
data_name: A
data_name: A C D

basically, data_name is a collection of strings in a set that may or may not be present for a particular log line.

I want to extract several things:
1) the entries that have A
2) the entries that have A but not C in the same line
3) all possible entries

and display their count (and e.g. hostname) in a chart.

I've tried:

( data_name AND A ) OR ( data_name AND A NOT B ) | dedup host

but this gives me results that are not distinguishable. How can I rename the first predicate (left of OR) so I can apply a "count" to it, and do the same for the second predicate (right of OR) and the third, and the fourth, etc.
Is this the right approach?

sundareshr · ‎09-30-2016

Try this (you will need to adjust the regex)

base search | rex "data_name\:\s(?<data_name>.*) | eval OnlyA=if(match(data_name, "\bA\b"), 1, 0) | eval A_No_C=if(match(data_name, "\bA\b" AND NOT match(data_name, "\bC\b"), 1, 0) | stats count sum(OnlyA) as OnlyA sum(A_No_C) as A_No_C

How do I rename and extract multiple data from a search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation