Solved: How do you get counts with wildcards?

wfresch · ‎01-10-2019

Suppose I have the following data, but I don't know the GUIDs ahead of time:

Path

/boat/826ec68b-cc87-41f9-b93b-5bfae6f21c52/duck
/car/39bdd442-167b-46b0-95fd-1e8e0423e7f8/fox
/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/cat
/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/fox
/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a

I'd like to get counts like this:

Count    Path
1        /boat/*/duck
2        /car/*/fox
1        /car/*/cat
1        /car/*

Is this possible? I can even get close to this. I'd be happy — like, a count of 4 for "/car/*" would still be better than nothing.

sdchakraborty · ‎01-10-2019

Hi Martin,

Please find below the run anywhere query, one question is your path format is always same? if not we can think about negative indexing in mvindex.

|  makeresults  count=5
| rename comment as "start of data preparation"
| streamstats count as id
| eval path = case(id=1,"/boat/826ec68b-cc87-41f9-b93b-5bfae6f21c52/duck",id=2,"/car/39bdd442-167b-46b0-95fd-1e8e0423e7f8/fox",id=3,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/cat",id=4,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/fox",id=5,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a")
| table path
| eval splitted_path = split(path,"/")
| eval needed_path = "/".mvindex(splitted_path,1)."/".if(isnull(mvindex(splitted_path,3))," ",mvindex(splitted_path,3))
| stats count by needed_path

Sid

View solution in original post

woodcock · ‎01-10-2019

Like this:

| makeresults 
| eval path = "/boat/826ec68b-cc87-41f9-b93b-5bfae6f21c52/duck /car/39bdd442-167b-46b0-95fd-1e8e0423e7f8/fox /car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/cat /car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/fox /car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a" 
| makemv path 
| mvexpand path 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval orig_path = path 
| rex field=path mode=sed "s%(/[^/]+)/[^/]+%\1%"
| stats count by path

wfresch · ‎01-10-2019

will this work, even if I don't know the actual GUIDs ahead of time?

wfresch · ‎01-10-2019

How do I make that work on an enterprise query that uses an index? ie "index=mylog path='/routeX/*' ?

woodcock · ‎01-10-2019

Use your search and then add on lines 8-10 of my solution.

woodcock · ‎01-10-2019

Yes, it blindly strips off everything between the 2nd and 3rd / character (including one of the / characters).

sdchakraborty · ‎01-10-2019

Hi Martin,

Please find below the run anywhere query, one question is your path format is always same? if not we can think about negative indexing in mvindex.

|  makeresults  count=5
| rename comment as "start of data preparation"
| streamstats count as id
| eval path = case(id=1,"/boat/826ec68b-cc87-41f9-b93b-5bfae6f21c52/duck",id=2,"/car/39bdd442-167b-46b0-95fd-1e8e0423e7f8/fox",id=3,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/cat",id=4,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/fox",id=5,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a")
| table path
| eval splitted_path = split(path,"/")
| eval needed_path = "/".mvindex(splitted_path,1)."/".if(isnull(mvindex(splitted_path,3))," ",mvindex(splitted_path,3))
| stats count by needed_path

Sid

wfresch · ‎01-10-2019

will this work, even if I don't know the actual GUIDs ahead of time?

sdchakraborty · ‎01-10-2019

Yes it will work.

How do you get counts with wildcards?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation