Splunk Search

How to count the results of a rex that returns multiple matches as a single group of matches?

bschaap
Path Finder

I have results from a rex statement that looks something like the first set of results. The rex returns multiple matches per row. I am trying to use the stats function to group multiple matches as a single group (see Desired). However, my stats statement currently sees each match as a separate group (see Not Desired). Is there a way to return the Desired result?

Multi-match rex results
namespace
.........................................................
System.ServiceModel.Channels
System.ServiceModel.Dispatcher
..........................................................
System.ServiceModel.Channels
System.ServiceModel.Dispatcher
..........................................................

Statement
... |stats count by namespace

Desired
namespace count
.........................................................................................
System.ServiceModel.Channels 2
System.ServiceModel.Dispatcher
.........................................................................................

Not Desired
namespace count
.........................................................................................
System.ServiceModel.Channels 1
System.ServiceModel.Dispatcher 1
.........................................................................................

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try. The nomv command will convert your multivalued field to regular, linear field. This way the stats will treat them as one group, instead of individual values.

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace | nomv namespace | stats count by namespace | makemv namespace

View solution in original post

somesoni2
Revered Legend

Give this a try. The nomv command will convert your multivalued field to regular, linear field. This way the stats will treat them as one group, instead of individual values.

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace | nomv namespace | stats count by namespace | makemv namespace

bschaap
Path Finder

It works! Thank everyone.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Not being able to see more of your search, and assuming a few things from what you said, I'd attempt the following:

<your search> | mvexpand namespace | stats count by namespace
0 Karma

bschaap
Path Finder

I appreciate the response. Unfortunately, mvexpand namespace didn't do what I expected. This is my original search. The results return all the namespaces within the stacktrace for a row. I would like to group each set of matches within a stacktrace and return a count. Instead, it's grouping on each individual match. Hope this makes sense.

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

OOPS. @somesoni2 got it right. I got my mv commands mixed up when I submitted, and I didn't check my answer first. Gotta make sure I check things before I submit!

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...