Solved: How do I search the count of how many times a keyw...

PeterChu · ‎06-25-2015

Hi All:

How do I write a search to find the count of how many times a keyword appears, not the event count?
As far as I know, |stats count just searches the event count.

ex:
myLog="Helen is a good girl. Helen is beautiful."

I want to know "Helen" occurs with a count of 2.

Thanks a lot.

martin_mueller · ‎06-26-2015

Alternate solution avoiding mvexpand so it could be applied to many events at once:

| stats count as text | eval text = "Helen is a good girl. Helen is beautiful."
| eval tokens = lower(replace(text, "\W+", " "))
| makemv tokens
| eval matches = mvfilter(match(tokens, "^helen$"))
| eval count = mvcount(matches)

Replace the first line with your search returning a field text and it'll produce a count for each event.

View solution in original post

martin_mueller · ‎06-26-2015

Alternate solution avoiding mvexpand so it could be applied to many events at once:

| stats count as text | eval text = "Helen is a good girl. Helen is beautiful."
| eval tokens = lower(replace(text, "\W+", " "))
| makemv tokens
| eval matches = mvfilter(match(tokens, "^helen$"))
| eval count = mvcount(matches)

Replace the first line with your search returning a field text and it'll produce a count for each event.

martin_mueller · ‎07-02-2015

You should see a field count in the left bar. Alternatively, add | table _raw count to the end to make it show in the Statistics tab.

PeterChu · ‎07-02-2015

Nice , if I add "| table _raw count " I can get count=2
Final my search command look like

sourcetype=test
 | eval tokens = lower(replace(_raw, "\W+", " "))
 | makemv tokens
 | eval matches = mvfilter(match(tokens, "^helen$"))
 | eval count = mvcount(matches)
 | table _raw count

I deeply appreciated your kindness .

martin_mueller · ‎07-02-2015

If that's the raw text returned then this should do:

sourcetype=test
| eval tokens = lower(replace(_raw, "\W+", " "))
| makemv tokens
| makemv tokens
| eval matches = mvfilter(match(tokens, "^helen$"))
| eval count = mvcount(matches)

PeterChu · ‎07-02-2015

Hi Martin:
I use the search command you mentioned above, but the result only can see the log event, can't see anything on statistics.
Maybe I must count _raw to a field ?

Thanks.

PeterChu · ‎07-02-2015

Hi Martin:
Thanks your help, but I still don't know how to apply my search language to replace text.
ex:my search is " sourcetype=test " and the result will be "Helen is a good girl. Helen is beautiful."
Can I use the search cmd to replace the log. Maybe it is likely a subsearch?

Thanks again.

MuS · ‎06-26-2015

Hi PeterChu,

I don't know if there is a better way to do this; but have a look at this run everywhere example to get an idea how it could be done:

| gentimes start=-1 |  eval myLog="Helen is a good girl. Helen is beautiful." 
| rex field=myLog "(?<word>\S+)" max_match=0 
| mvexpand word 
| search word="Helen"
| stats count  
| eval Count=if(count=="2", "Twice", count) 
| table word, Count

The first line is only to create the event, then I use rex to get the single words and expand it into single value field called word, search for all word="Helen", count them and display the result.

Hope that helps ...

cheers, MuS

HiroshiSatoh · ‎06-25-2015

What in this?

・・・・|eval list=split(_raw," Helen is")|eval count=mvcount(list)-1

However, also counts "XXXHelen is" and "YYYHelen is".

How do I search the count of how many times a keyword appears, not the event count?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

How do I search the count of how many times a keyword appears, not the event count?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)