Splunk Search

How to count the number of occurrences of a word in an event?

royimad
Builder

Hello Guys,

I have a log as the following and i need to count the number of occurrence of TagID word in such event ( how many times TagID word exist by event ) how can i do that in a search?

Tue Aug 19 2014 04:47:18,515 EDT DEBUG wmservice.business.mobilehospital - [saveDeviceRead2 - HM10042 - roy.imad] Method invoked with parameters : [username]{roy.imad}[deviceId]{HM10042}[macAddress]{XXXX-xxxxx-xxxxx-xxxxxx-xxx}[readPacket]{(TagID){E0040100206E6349}|(TagID){E0040100206E7BA7}|(TagID){E0040100206E7917}|(TagID){E0040100206E7BF7}|(TagID){E0040100206E7BAF}|(TagID){E0040100206E7967}|(TagID){E0040100206E64A1}|(TagID){E0040100206E90F4}|(TagID){E0040100206E64A9}|(TagID){E0040100206E796F}|(TagID){E0040100206E791F}|(TagID){E0040100206E90FC}}[readMode]{A}[updateEventInfo]{(Disposition){}(RGA){}(PO){}(SO){}(DetailDisposition){}(EncounterID){null}(DestinationID){}(ReturnID){null}(DispositionFlag){false}(RGAFlag){false}(POFlag){false}(SOFlag){false}(DetailDispositionFlag){false}(EncounterIDFlag){false}(DestinationIDFlag){false}(ReturnIDFlag){false}}[createAudit]{true}[auditInfo]{(EndpointID){RU00014GN1}(Signature){}(ImageSignature){null}(SignerName){null}(Comment){}}

Tags (3)

renjujacob88
Path Finder

Hi

Please do try this too

index=_internal | rex field=_raw max_match=0 "(?(TagID))" | stats count by TagID|

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi royimad,

take this run everywhere command:

index=_internal | head 1 | eval foo="Tue Aug 19 2014 04:47:18,515 EDT DEBUG wmservice.business.mobilehospital  - [saveDeviceRead2 - HM10042 - roy.imad] Method invoked with parameters : [username]{roy.imad}[deviceId]{HM10042}[macAddress]{XXXX-xxxxx-xxxxx-xxxxxx-xxx}[readPacket]{(TagID){E0040100206E6349}|(TagID){E0040100206E7BA7}|(TagID){E0040100206E7917}|(TagID){E0040100206E7BF7}|(TagID){E0040100206E7BAF}|(TagID){E0040100206E7967}|(TagID){E0040100206E64A1}|(TagID){E0040100206E90F4}|(TagID){E0040100206E64A9}|(TagID){E0040100206E796F}|(TagID){E0040100206E791F}|(TagID){E0040100206E90FC}}[readMode]{A}[updateEventInfo]{(Disposition){}(RGA){}(PO){}(SO){}(DetailDisposition){}(EncounterID){null}(DestinationID){}(ReturnID){null}(DispositionFlag){false}(RGAFlag){false}(POFlag){false}(SOFlag){false}(DetailDispositionFlag){false}(EncounterIDFlag){false}(DestinationIDFlag){false}(ReturnIDFlag){false}}[createAudit]{true}[auditInfo]{(EndpointID){RU00014GN1}(Signature){}(ImageSignature){null}(SignerName){null}(Comment){}} " 
| rex field=foo max_match=0 "(?<tagid>\(TagID\))" 
| stats count by tagid

this will return a count of 12
The first line is just to build an event which contains your data, the rex and the stats will do the work.

hope this helps ...

cheers, MuS

MuS
SplunkTrust
SplunkTrust

Thanks royimad for upvoting the answer; If it answers your question please accept it 😉 Thanks MuS

0 Karma

somesoni2
Revered Legend

In case you want count of tag to appear as a field for each event (counting no of tag for each event), in #MuS answer, replace 'stats count by tagid' to 'eval tagcount=mvcount(tagid)'

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!