Splunk Search

How to count a field that contains special values and display it with others using Piechart?

Communicator

I have a column named Target that contains several values where some ends with @myemail.com, but when I just used stats count by Targetit became really messy as there are many email users.

So I want to sum all the values that end with @myemail.com and then display in the Pie chart with other value counts. But I tried stats sum(eval) return no result while the case wouldn't work as the total type of string values changes along time.

Does anyone know how to search this? Thanks!

0 Karma
1 Solution

Contributor

If I understood correctly, you want to count *@myemail.com in totals vs single count of all other users?

| makeresults | eval Target="bla@myemail.com,something@else.com,foobar@myemail.com,metoo@aol.com,splunk@myemail.com" 

| makemv delim="," Target | mvexpand Target

| rex field=Target "(?<user>[^@]+)@(?<domain>.*)$"

| eval myemail_combined_Target=if(domain=="myemail.com","myemail.com",Target)

| stats count by myemail_combined_Target

The first two line just generate a random input for this cut and paste example. I have three @myemail.com domain users in the input, and two other ones.

Third line splits the Target into user and domain, that's where you would start after your base search.

Fourth line create a field that either is "myemail.com" for all those users, or the original Target for everything else.

Last line is the count that you wanted to have if I understood correctly. 🙂

Hth,
-Kai.

View solution in original post

0 Karma

Contributor

If I understood correctly, you want to count *@myemail.com in totals vs single count of all other users?

| makeresults | eval Target="bla@myemail.com,something@else.com,foobar@myemail.com,metoo@aol.com,splunk@myemail.com" 

| makemv delim="," Target | mvexpand Target

| rex field=Target "(?<user>[^@]+)@(?<domain>.*)$"

| eval myemail_combined_Target=if(domain=="myemail.com","myemail.com",Target)

| stats count by myemail_combined_Target

The first two line just generate a random input for this cut and paste example. I have three @myemail.com domain users in the input, and two other ones.

Third line splits the Target into user and domain, that's where you would start after your base search.

Fourth line create a field that either is "myemail.com" for all those users, or the original Target for everything else.

Last line is the count that you wanted to have if I understood correctly. 🙂

Hth,
-Kai.

View solution in original post

0 Karma

Communicator

Thanks for your response. Tho the rex was a bit off but the whole search string worked perfectly after I made a minor change. Your explanation was very thorough.

0 Karma