- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to count a particular string in the searched field
I have the following search, which lists the complete path name of the file in field12:
index="xxxxxxxxx" host=xxxxx abcservice complete AND *.doc* OR *.ppt* OR *.xls*
Now I want to count the number of doc, ppt, xls type files. Is it possible that in a given search, it can conduct further search on field12 only and pick the last 3 or 4 characters (doc or docx) and count it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (assuming field 'field12' contains the file name/path where you're matching these extensions)
index="xxxxxxxxx" host=xxxxx abcservice complete AND ( field12=*.doc* OR field12=*.ppt* OR field12=*.xls* )
| rex field=field12 "(?<Extension>\.\w{2,3,4})" | stats count by Extension
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex field=field12 "(?.\w{2,3,4})" | stats count by Extension
added 4 incase you have extensions like .docx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I put this, I get the message "No results found", I will try to work on field extractor stuff as mentioned in
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/ExtractfieldsinteractivelywithIFX
Thanks for taking out your time and replying to my query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with just this as well
index="xxxxxxxxx" host=xxxxx abcservice complete AND ( *.doc* OR *.ppt* OR *.xls* )
| rex "(?<Extension>\.\w{2,3,4})" | stats count by Extension
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @adonio, I meant to write \w{3,4} there. Updated the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why not extract a new field called "extension" for example and then do ... | stats count by extension?
you can also use the | rex command to create a field and then like mentioned above
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on the search above you should probably utilize the stats command. Also, you may need to create a field for this. Something such as Doctype.
Once you have the field extraction in place you can run the stats command |stats count by Doctype
Note that the field name will be case-sensitive. Below is the field extraction documentation:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/ExtractfieldsinteractivelywithIFX
