Splunk Search

How to count the numbers of occurrence for two value

Path Finder

I have the following search:

sourcetype="placingOrder" Code=504 host="localhost*" | stats count by Path

The output is:

Path                            count
/api/fetchReport/v2/report1    2
/api/fetchReport/v2/report2    8
/api/fetchReport/v2/report3    3
/api/fetchReport/v2/report4   10
/api/Order/v2/OrdrePlaced        9
/api/Order/v3/OrdreNotPlaced    1

I want the output should be:

Path                   Module           count                   
fetchReport            report1          2
                       report2             8
                       report3             3
                       report4             10
Order               OrdrePlaced          9
                       OrdreNotPlaced       1
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@JyotiP

Can you please try this?

sourcetype="placingOrder" Code=504 host="localhost*" | stats count by Path | rex field=Path "\/api\/(?<Path>.*)\/(v2|v3)\/(?<Module>.*)" | streamstats window=2 first(Path) as f_path count as c |
eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count

My Sample Search:

| makeresults | eval _raw=" Path                            count
 /api/fetchReport/v2/report1       2
 /api/fetchReport/v2/report2       8
 /api/fetchReport/v2/report3       3
 /api/fetchReport/v2/report4      10
 /api/Order/v2/OrdrePlaced         9
 /api/Order/v3/OrdreNotPlaced      1
" | multikv | rex field=Path "\/api\/(?<Path>.*)\/(v2|v3)\/(?<Module>.*)" | streamstats window=2 first(Path) as f_path count as c |
eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count

View solution in original post

0 Karma

New Member

Hi,

Inspite of stats count by Path, use "|table Path" .

Try below query

sourcetype="placingOrder" Code=504 host="localhost" |table Path | rex field=Path "/api/(?\w+)/(?\w+)/(?\w+)" | stats count by field1 field3

0 Karma

Path Finder

@wanip_fossil I guess something wrong with the regex. I am getting an error in the regex.

0 Karma

New Member

sourcetype="placingOrder" Code=504 host="localhost" |table Path | rex field=Path "\/api\/(?\w+)\/(?\w+)\/(?\w+)" | stats count by field1 field3

Please try now

0 Karma

Path Finder

Getting the below error,
Error in 'rex' command: Encountered the following error while compiling the regex '\/api\/(?\w+)\/(?\w+)\/(?\w+)': Regex: unrecognized character after (? or (?-

0 Karma

SplunkTrust
SplunkTrust

@JyotiP

Can you please try this?

sourcetype="placingOrder" Code=504 host="localhost*" | stats count by Path | rex field=Path "\/api\/(?<Path>.*)\/(v2|v3)\/(?<Module>.*)" | streamstats window=2 first(Path) as f_path count as c |
eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count

My Sample Search:

| makeresults | eval _raw=" Path                            count
 /api/fetchReport/v2/report1       2
 /api/fetchReport/v2/report2       8
 /api/fetchReport/v2/report3       3
 /api/fetchReport/v2/report4      10
 /api/Order/v2/OrdrePlaced         9
 /api/Order/v3/OrdreNotPlaced      1
" | multikv | rex field=Path "\/api\/(?<Path>.*)\/(v2|v3)\/(?<Module>.*)" | streamstats window=2 first(Path) as f_path count as c |
eval Path=case(c=1,Path,Path!=f_path,Path,1=1,"") | table Path Module count

View solution in original post

0 Karma

Path Finder

@kamlesh_vaghela yeah this work. What does this streamstats do?

0 Karma

SplunkTrust
SplunkTrust

🙂

Adds cumulative summary statistics to all search results in a streaming manner. The streamstats command calculates statistics for each event at the time the event is seen.

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Streamstats

0 Karma