Hi All:
How do I write a search to find the count of how many times a keyword appears, not the event count?
As far as I know, |stats count
just searches the event count.
ex:
myLog="Helen is a good girl. Helen is beautiful."
I want to know "Helen" occurs with a count of 2.
Thanks a lot.
Alternate solution avoiding mvexpand
so it could be applied to many events at once:
| stats count as text | eval text = "Helen is a good girl. Helen is beautiful."
| eval tokens = lower(replace(text, "\W+", " "))
| makemv tokens
| eval matches = mvfilter(match(tokens, "^helen$"))
| eval count = mvcount(matches)
Replace the first line with your search returning a field text
and it'll produce a count
for each event.
Alternate solution avoiding mvexpand
so it could be applied to many events at once:
| stats count as text | eval text = "Helen is a good girl. Helen is beautiful."
| eval tokens = lower(replace(text, "\W+", " "))
| makemv tokens
| eval matches = mvfilter(match(tokens, "^helen$"))
| eval count = mvcount(matches)
Replace the first line with your search returning a field text
and it'll produce a count
for each event.
You should see a field count
in the left bar. Alternatively, add | table _raw count
to the end to make it show in the Statistics tab.
Nice , if I add "| table _raw count " I can get count=2
Final my search command look like
sourcetype=test
| eval tokens = lower(replace(_raw, "\W+", " "))
| makemv tokens
| eval matches = mvfilter(match(tokens, "^helen$"))
| eval count = mvcount(matches)
| table _raw count
I deeply appreciated your kindness .
If that's the raw text returned then this should do:
sourcetype=test
| eval tokens = lower(replace(_raw, "\W+", " "))
| makemv tokens
| makemv tokens
| eval matches = mvfilter(match(tokens, "^helen$"))
| eval count = mvcount(matches)
Hi Martin:
I use the search command you mentioned above, but the result only can see the log event, can't see anything on statistics.
Maybe I must count _raw to a field ?
Thanks.
Hi Martin:
Thanks your help, but I still don't know how to apply my search language to replace text.
ex:my search is " sourcetype=test " and the result will be "Helen is a good girl. Helen is beautiful."
Can I use the search cmd to replace the log. Maybe it is likely a subsearch?
Thanks again.
Hi PeterChu,
I don't know if there is a better way to do this; but have a look at this run everywhere example to get an idea how it could be done:
| gentimes start=-1 | eval myLog="Helen is a good girl. Helen is beautiful."
| rex field=myLog "(?<word>\S+)" max_match=0
| mvexpand word
| search word="Helen"
| stats count
| eval Count=if(count=="2", "Twice", count)
| table word, Count
The first line is only to create
the event, then I use rex
to get the single words and expand it into single value field called word
, search for all word="Helen"
, count them and display the result.
Hope that helps ...
cheers, MuS
What in this?
・・・・|eval list=split(_raw," Helen is")|eval count=mvcount(list)-1
However, also counts "XXXHelen is" and "YYYHelen is".