Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to make combine multiple string searches and c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to make combine multiple string searches and count all combinations
allanmb
Engager
01-12-2017
04:19 AM
I am logging some settings and whether they are enabled or disabled. I want to make a table combining some of the options. For example, here is my log entry:
[UserSettings] Player:Fred QC:1 QCAudio:0
I want to find the number of entries where QC is 1 and QCAudio is 1. I also want to find the number of entries where both are 0, and all other combinations.
Currently I am searching a single option with the following splunk search:
UserSettings | eval qcenabled=if(like(_raw, "%QC:1%"), "Enabled", "Disabled") | stats count by qcenabled
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
01-12-2017
07:53 AM
How about giving this a try that will find all the combinations, give enabled and disabled for the combinations as well as "Other" in case it is not one of the two combinations you want. Hope it helps:
UserSettings
| rex field=_raw "\[UserSettings\]\s*Player\s*\:\s*(?<playerName>[\S]+)\s*QC\s*\:\s*(?<qcCount>[\S]+)\s*QCAudio\s*\:\s*(?<qcAudioCount>[\S]+)
| eval qcenabled=case( qcCount=1 AND qcAudioCount=1, "Enabled", qcCount=0 AND qcAudioCount=0,"Disabled", 1=1, "Other")
| stats count by qcCount, qcAudioCount, qcenabled
I have added some extra \s* in the above rex just to be safe in case there are some spaces here and there but that rex can compactly be written like below as well:
| rex field=_raw "\[UserSettings\]\s*Player\:(?<playerName>[\S]+)\s*QC\:(?<qcCount>[\S]+)\s*QCAudio\:(?<qcAudioCount>[\S]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
allanmb
Engager
01-12-2017
07:26 AM
I've found a messy way to do it which is fine with only 4 possible combinations but any more and this would be very messy. Is there a more automatic way to do it?
UserSettings | eval qcenabled=if(like(message, "%QC:1%") AND like(message, "%QCAudio:1%"), "fully enabled", if(like(message, "%QC:0%") AND like(message, "%QCAudio:0%"), "fully disabled", "partially disabled")) | stats count by qcenabled
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
allanmb
Engager
01-12-2017
04:38 AM
I have something working using:
UserSettings | eval qcenabled=if(like(_raw, "%QC:1%") AND like(_raw, "%QCAudio:1%"), "Both Enabled", "Something Disabled") | stats count by qcenabled
This only does a count of one single combination against all others, rather than soing all 4 combinations
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
