Solved: How to count values across multiple similarly name...

o_cardoso · ‎10-17-2020

Hi!

Given 2 events:

SummaryDialog Component1=wxt_12 Component2=wyt_1 Component3=wzt_3 Component4=wbt_2

SummaryDialog Component1=wyt_2 Component2=wxt_12 Component3=wbt_2 Component4=wzt_1

I'm trying to get a summary of the occurrences of each unique value regardless of the component:

wbt_2 2

wxt_12 2

wyt_1 1

wyt_2 1

wzt_3 1

wzt_6 1

Naively, I hoped this would work:

index=cls_preprod SummaryDialog | stats count by component*

It does not (returns no results). Does anyone have any suggestions? I've been googling for awhile and have not hit upon a viable solution. Note there a N number of components

Thanks!

(and forgive me if this is a basic question.. i am very basic splunk user)

ITWhisperer · ‎10-18-2020

| rex max_match=0 "Component[^=]+=(?<component>\S+)"
| stats count by component

View solution in original post

o_cardoso · ‎10-18-2020

works great, thanks!!

ITWhisperer · ‎10-18-2020

| rex max_match=0 "Component[^=]+=(?<component>\S+)"
| stats count by component

How to count values across multiple similarly named fields

stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!