Splunk Search
Highlighted

How to generate a search to display the count of a field based on filepath extensions?

Explorer

I have a search with multiple extensions in a field which, i want to group details based on the extensions in filepath and also count based on the extensions in the filepath

devicename time fileHash filePath=.txt , .exe , .js etc

any help would be appreciated

Tags (2)
Highlighted

Re: How to generate a search to display the count of a field based on filepath extensions?

Super Champion

Just tried with a small subset. Have a try using your dataset and let us know the results

index=_internal| stats count by source| rex field=source "\.(?<extn>[^\\\|^\/|^\.]+$)"| stats count by extn

so in your case, the actual search would be something like

<your search>  | rex field=filePath "\.(?<extn>[^\\\|^\/|^\.]+$)"| stats count by extn

View solution in original post

Highlighted

Re: How to generate a search to display the count of a field based on filepath extensions?

Explorer

that worked thanks a lot

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.