Solved: How to match string and apply stats count on a sta...

rkishoreqa · ‎12-07-2020

I have a requirement to fetch stats count from raw data logs. Sharing you the query and results.

Query : index="bw6_stg" sourcetype="HYD01"| rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" | stats count by Applname

For the above query below are the results.

Applname count
abcd 5
abcd.app 6
efgh 4
efgh.app 3

Now I want to add 'abcd' count and 'abcd.app' count (5+6), it should show total=11
Same as above 'efgh' count and 'efgh.app' count (4+3); total=7.

I need to build query for the above total, can anyone guide me on this.

richgalloway · ‎12-07-2020

Do that by normalizing the names before computing the counts.

index="bw6_stg" sourcetype="HYD01"
| rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" 
| eval Applname=mvindex(split(Applname,"."), 0)
| stats count by Applname

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-07-2020

Do that by normalizing the names before computing the counts.

index="bw6_stg" sourcetype="HYD01"
| rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" 
| eval Applname=mvindex(split(Applname,"."), 0)
| stats count by Applname

---
If this reply helps you, Karma would be appreciated.

How to match string and apply stats count on a stats count table

stats

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How to match string and apply stats count on a stats count table

stats

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases