Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to make combine multiple string searches and count all combinations

allanmb
Engager
‎01-12-2017 04:19 AM

I am logging some settings and whether they are enabled or disabled. I want to make a table combining some of the options. For example, here is my log entry:
[UserSettings] Player:Fred QC:1 QCAudio:0

I want to find the number of entries where QC is 1 and QCAudio is 1. I also want to find the number of entries where both are 0, and all other combinations.

Currently I am searching a single option with the following splunk search:

UserSettings | eval qcenabled=if(like(_raw, "%QC:1%"), "Enabled", "Disabled") | stats count by qcenabled
0 Karma
Reply

gokadroid
Motivator
‎01-12-2017 07:53 AM

How about giving this a try that will find all the combinations, give enabled and disabled for the combinations as well as "Other" in case it is not one of the two combinations you want. Hope it helps:

UserSettings 
| rex field=_raw "\[UserSettings\]\s*Player\s*\:\s*(?<playerName>[\S]+)\s*QC\s*\:\s*(?<qcCount>[\S]+)\s*QCAudio\s*\:\s*(?<qcAudioCount>[\S]+)
| eval qcenabled=case( qcCount=1 AND qcAudioCount=1, "Enabled", qcCount=0 AND qcAudioCount=0,"Disabled", 1=1, "Other") 
| stats count by qcCount, qcAudioCount, qcenabled

I have added some extra \s* in the above rex just to be safe in case there are some spaces here and there but that rex can compactly be written like below as well:

 | rex field=_raw "\[UserSettings\]\s*Player\:(?<playerName>[\S]+)\s*QC\:(?<qcCount>[\S]+)\s*QCAudio\:(?<qcAudioCount>[\S]+)
0 Karma
Reply

allanmb
Engager
‎01-12-2017 07:26 AM

I've found a messy way to do it which is fine with only 4 possible combinations but any more and this would be very messy. Is there a more automatic way to do it?

UserSettings | eval qcenabled=if(like(message, "%QC:1%") AND like(message, "%QCAudio:1%"), "fully enabled", if(like(message, "%QC:0%") AND like(message, "%QCAudio:0%"), "fully disabled", "partially disabled")) | stats count by qcenabled
0 Karma
Reply

allanmb
Engager
‎01-12-2017 04:38 AM

I have something working using:

UserSettings | eval qcenabled=if(like(_raw, "%QC:1%") AND like(_raw, "%QCAudio:1%"), "Both Enabled", "Something Disabled") | stats count by qcenabled

This only does a count of one single combination against all others, rather than soing all 4 combinations

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...