Solved: How to generate a search to display the count of a...

rvinjana · ‎02-26-2017

I have a search with multiple extensions in a field which, i want to group details based on the extensions in filepath and also count based on the extensions in the filepath

devicename time fileHash filePath=.txt , .exe , .js etc

any help would be appreciated

koshyk · ‎02-27-2017

Just tried with a small subset. Have a try using your dataset and let us know the results

index=_internal| stats count by source| rex field=source "\.(?<extn>[^\\\|^\/|^\.]+$)"| stats count by extn

so in your case, the actual search would be something like

<your search>  | rex field=filePath "\.(?<extn>[^\\\|^\/|^\.]+$)"| stats count by extn

View solution in original post

koshyk · ‎02-27-2017

Just tried with a small subset. Have a try using your dataset and let us know the results

index=_internal| stats count by source| rex field=source "\.(?<extn>[^\\\|^\/|^\.]+$)"| stats count by extn

so in your case, the actual search would be something like

<your search>  | rex field=filePath "\.(?<extn>[^\\\|^\/|^\.]+$)"| stats count by extn

rvinjana · ‎02-27-2017

that worked thanks a lot

How to generate a search to display the count of a field based on filepath extensions?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life