Splunk Search

How to generate a search to display the count of a field based on filepath extensions?

Explorer

I have a search with multiple extensions in a field which, i want to group details based on the extensions in filepath and also count based on the extensions in the filepath

devicename time fileHash filePath=.txt , .exe , .js etc

any help would be appreciated

Tags (2)
1 Solution

Super Champion

Just tried with a small subset. Have a try using your dataset and let us know the results

index=_internal| stats count by source| rex field=source "\.(?<extn>[^\\\|^\/|^\.]+$)"| stats count by extn

so in your case, the actual search would be something like

<your search>  | rex field=filePath "\.(?<extn>[^\\\|^\/|^\.]+$)"| stats count by extn

View solution in original post

Super Champion

Just tried with a small subset. Have a try using your dataset and let us know the results

index=_internal| stats count by source| rex field=source "\.(?<extn>[^\\\|^\/|^\.]+$)"| stats count by extn

so in your case, the actual search would be something like

<your search>  | rex field=filePath "\.(?<extn>[^\\\|^\/|^\.]+$)"| stats count by extn

View solution in original post

Explorer

that worked thanks a lot

0 Karma