Splunk Search

How to count field with string and empty string and draw a chart ?

annalwins
Engager

I have below format of data. I would like to count email with empty string as anonymous and email with any string as customer and would like to draw a chart for the same.
email= ,status='yes'
email=abced@gmail.com ,status='yes'
email=ced@gmail.com ,status='yes'

Tags (1)
0 Karma
1 Solution

adityapavan18
Contributor

You can try something like this:

| rex "email=(?[^\,]*)" | eval emailtype = if(email==" ","Anonymous","Customer") | stats count by emailtype

View solution in original post

annalwins
Engager

It works as I expected.
[1] Can you explain me about this rex. How does email="" string goes to Anonymous and email=äbcd.gmail.com goes to customer?
[2] How can I get avg customer from this ?

0 Karma

adityapavan18
Contributor

Its simple, the rex i mentioned extracts everything between the string "email=" and the comma(,).
In case of proper email id's it extract email id's, but when there is no email Id there is only a blank space and that is extracted.
Now in my eval statement i am checking if email value is a blank space if yes i am setting a variable emailtype as Anonymous else as Customer. Hope that helps.

0 Karma

adityapavan18
Contributor

You can try something like this:

| rex "email=(?[^\,]*)" | eval emailtype = if(email==" ","Anonymous","Customer") | stats count by emailtype

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...