Solved: How to match string and apply stats count on a sta...

rkishoreqa · ‎12-07-2020

I have a requirement to fetch stats count from raw data logs. Sharing you the query and results.

Query : index="bw6_stg" sourcetype="HYD01"| rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" | stats count by Applname

For the above query below are the results.

Applname count
abcd 5
abcd.app 6
efgh 4
efgh.app 3

Now I want to add 'abcd' count and 'abcd.app' count (5+6), it should show total=11
Same as above 'efgh' count and 'efgh.app' count (4+3); total=7.

I need to build query for the above total, can anyone guide me on this.

richgalloway · ‎12-07-2020

Do that by normalizing the names before computing the counts.

index="bw6_stg" sourcetype="HYD01"
| rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" 
| eval Applname=mvindex(split(Applname,"."), 0)
| stats count by Applname

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-07-2020

Do that by normalizing the names before computing the counts.

index="bw6_stg" sourcetype="HYD01"
| rex field=_raw "ApplicationName:\s+\[(?P<Applname>.*)];" 
| eval Applname=mvindex(split(Applname,"."), 0)
| stats count by Applname

---
If this reply helps you, Karma would be appreciated.

How to match string and apply stats count on a stats count table

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation