Re: How to get counts of events matching only part...

arrangineni · ‎04-27-2020

I am trying to get counts of events that match only a particular field value pattern from a multi-valued field.

Multi valued field values like:
name=abc;name=12345;name=246
name=12344
name=246;name=abc
name=12378

Need counts of events which only contains field values containing name=123* and ignore the once which are combination of others?

I did try the below but it includes all events containing name=123*
| makemv delim=";" multivalued-field
| rex field=multivalued-field "name=(?P[^,]+),"
| search whatineed="123*"

to4kawa · ‎04-27-2020

| makeresults 
| eval _raw="raw
name=abc;name=12345;name=246
name=12344
name=246;name=abc
name=12378
name=12378;name=12379" 
| multikv forceheader=1 
| rex max_match=0 "name=(?<name>[^;]+)" 
| rename COMMENT as "this is sample. form here, the logic" 
| table name 
| rename COMMENT as "please check this result" 
| eval names=mvmap(name,if(match(name,"^123"),1,0)) 
| streamstats window=1 sum(names) as sums 
| where mvcount(names) = sums 
| stats count

arrangineni · ‎04-28-2020

@to4kawa thanks for assisting, but using the above approach I am also getting the count for " name=abc;name=12345;name=246" which I don't need.

I am looking for counts which ONLY included values 123* and ignore other combinations. But combination of 123* and 123* is valid.

How to get counts of events matching only particular value pattern from multi valued field

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM