Solved: How to count field with string and empty string an...

annalwins · ‎04-16-2014

I have below format of data. I would like to count email with empty string as anonymous and email with any string as customer and would like to draw a chart for the same.
email= ,status='yes'
email=abced@gmail.com ,status='yes'
email=ced@gmail.com ,status='yes'

adityapavan18 · ‎04-16-2014

You can try something like this:

| rex "email=(?[^\,]*)" | eval emailtype = if(email==" ","Anonymous","Customer") | stats count by emailtype

View solution in original post

annalwins · ‎04-17-2014

It works as I expected.
[1] Can you explain me about this rex. How does email="" string goes to Anonymous and email=äbcd.gmail.com goes to customer?
[2] How can I get avg customer from this ?

adityapavan18 · ‎04-17-2014

Its simple, the rex i mentioned extracts everything between the string "email=" and the comma(,).
In case of proper email id's it extract email id's, but when there is no email Id there is only a blank space and that is extracted.
Now in my eval statement i am checking if email value is a blank space if yes i am setting a variable emailtype as Anonymous else as Customer. Hope that helps.

adityapavan18 · ‎04-16-2014

You can try something like this:

| rex "email=(?[^\,]*)" | eval emailtype = if(email==" ","Anonymous","Customer") | stats count by emailtype

How to count field with string and empty string and draw a chart ?

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

Developer Spotlight with Paul Stout