Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count the results of a rex that returns multiple matches as a single group of matches?

bschaap
Path Finder
‎09-20-2017 07:15 AM

I have results from a rex statement that looks something like the first set of results. The rex returns multiple matches per row. I am trying to use the stats function to group multiple matches as a single group (see Desired). However, my stats statement currently sees each match as a separate group (see Not Desired). Is there a way to return the Desired result?

Multi-match rex results
namespace
.........................................................
System.ServiceModel.Channels
System.ServiceModel.Dispatcher
..........................................................
System.ServiceModel.Channels
System.ServiceModel.Dispatcher
..........................................................

Statement
... |stats count by namespace

Desired
namespace count
.........................................................................................
System.ServiceModel.Channels 2
System.ServiceModel.Dispatcher
.........................................................................................

Not Desired
namespace count
.........................................................................................
System.ServiceModel.Channels 1
System.ServiceModel.Dispatcher 1
.........................................................................................

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-20-2017 09:36 AM

Give this a try. The nomv command will convert your multivalued field to regular, linear field. This way the stats will treat them as one group, instead of individual values. 

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace | nomv namespace | stats count by namespace | makemv namespace

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-20-2017 09:36 AM

Give this a try. The nomv command will convert your multivalued field to regular, linear field. This way the stats will treat them as one group, instead of individual values. 

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace | nomv namespace | stats count by namespace | makemv namespace
Reply
Solved! Jump to solution

bschaap
Path Finder
‎09-20-2017 10:13 AM

It works! Thank everyone.

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎09-20-2017 08:23 AM

Not being able to see more of your search, and assuming a few things from what you said, I'd attempt the following:

<your search> | mvexpand namespace | stats count by namespace
0 Karma
Reply
Solved! Jump to solution

bschaap
Path Finder
‎09-20-2017 08:43 AM

I appreciate the response. Unfortunately, mvexpand namespace didn't do what I expected. This is my original search. The results return all the namespaces within the stacktrace for a row. I would like to group each set of matches within a stacktrace and return a count. Instead, it's grouping on each individual match. Hope this makes sense.

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace
0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎09-20-2017 09:44 AM

OOPS. @somesoni2 got it right. I got my mv commands mixed up when I submitted, and I didn't check my answer first. Gotta make sure I check things before I submit!

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...