Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you get counts with wildcards?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wfresch
Explorer
01-10-2019
06:54 AM
Suppose I have the following data, but I don't know the GUIDs ahead of time:
Path
/boat/826ec68b-cc87-41f9-b93b-5bfae6f21c52/duck
/car/39bdd442-167b-46b0-95fd-1e8e0423e7f8/fox
/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/cat
/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/fox
/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a
I'd like to get counts like this:
Count Path
1 /boat/*/duck
2 /car/*/fox
1 /car/*/cat
1 /car/*
Is this possible? I can even get close to this. I'd be happy — like, a count of 4 for "/car/*" would still be better than nothing.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdchakraborty
Contributor
01-10-2019
07:56 AM
Hi Martin,
Please find below the run anywhere query, one question is your path format is always same? if not we can think about negative indexing in mvindex.
| makeresults count=5
| rename comment as "start of data preparation"
| streamstats count as id
| eval path = case(id=1,"/boat/826ec68b-cc87-41f9-b93b-5bfae6f21c52/duck",id=2,"/car/39bdd442-167b-46b0-95fd-1e8e0423e7f8/fox",id=3,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/cat",id=4,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/fox",id=5,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a")
| table path
| eval splitted_path = split(path,"/")
| eval needed_path = "/".mvindex(splitted_path,1)."/".if(isnull(mvindex(splitted_path,3))," ",mvindex(splitted_path,3))
| stats count by needed_path
Sid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
01-10-2019
08:25 AM
Like this:
| makeresults
| eval path = "/boat/826ec68b-cc87-41f9-b93b-5bfae6f21c52/duck /car/39bdd442-167b-46b0-95fd-1e8e0423e7f8/fox /car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/cat /car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/fox /car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a"
| makemv path
| mvexpand path
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval orig_path = path
| rex field=path mode=sed "s%(/[^/]+)/[^/]+%\1%"
| stats count by path
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wfresch
Explorer
01-10-2019
09:12 AM
will this work, even if I don't know the actual GUIDs ahead of time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wfresch
Explorer
01-10-2019
10:33 AM
How do I make that work on an enterprise query that uses an index? ie "index=mylog path='/routeX/*' ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
01-10-2019
11:00 AM
Use your search and then add on lines 8-10 of my solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
01-10-2019
09:15 AM
Yes, it blindly strips off everything between the 2nd and 3rd / character (including one of the / characters).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdchakraborty
Contributor
01-10-2019
07:56 AM
Hi Martin,
Please find below the run anywhere query, one question is your path format is always same? if not we can think about negative indexing in mvindex.
| makeresults count=5
| rename comment as "start of data preparation"
| streamstats count as id
| eval path = case(id=1,"/boat/826ec68b-cc87-41f9-b93b-5bfae6f21c52/duck",id=2,"/car/39bdd442-167b-46b0-95fd-1e8e0423e7f8/fox",id=3,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/cat",id=4,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a/fox",id=5,"/car/2c2d27d4-4c07-460e-8c0e-11aad4e4c34a")
| table path
| eval splitted_path = split(path,"/")
| eval needed_path = "/".mvindex(splitted_path,1)."/".if(isnull(mvindex(splitted_path,3))," ",mvindex(splitted_path,3))
| stats count by needed_path
Sid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wfresch
Explorer
01-10-2019
09:13 AM
will this work, even if I don't know the actual GUIDs ahead of time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdchakraborty
Contributor
01-10-2019
09:22 AM
Yes it will work.
Get Updates on the Splunk Community!
Monitoring Postgres with OpenTelemetry
Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...
Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly
To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview.
In ...
Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor
Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...
