Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return count of certain text using Splunk regular expression?

ABHAYA
Path Finder
‎05-29-2023 05:31 AM

I have an input string  which contains strings like code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTED,

Expected Ouput 

Code   count 

test2     2

test3      1

Basically i  am looking for whose status is completed or starts with completed word  those code name and completion count in the result. Can anyone please help me on this.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-29-2023 06:35 AM

Hi @ABHAYA,

if you have all the fields in the same event, you have to divide it using something like this:

| makeresults 
| eval _raw="code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE."
| rex max_match=0 "(?<event>[^,\.]+)"
| mvexpand event
| rex field=event "code\s*\=\s*(?<code>\w*)"
| rex field=event "status\s*\=\s*(?<status>\w*)"
| stats count BY code status

when you arrive at the last raw, you can aggregate as you like.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-29-2023 05:54 AM

Hi @ABHAYA.,

if you want to know only the codes where the status is "COMPLETED", you could run:

index=your_index status=COMPLETED
| stats count BY Code

if you want also add all the information about status, you could run:

index=your_index
| stats count BY Code status

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ABHAYA
Path Finder
‎05-29-2023 06:19 AM

code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE. This  input is a single string. I do not have  data in table format.I tried with the solution provided by you .it is not working

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎05-30-2023 12:31 AM

Luckily each test segment is delimited by comma.  You can use that to break the raw input into individual events, like this:

| eval data = split(_raw, ",")
| mvexpand data
| rename data AS _raw
| extract

Ultimately, though, your developer should consider breaking the events in raw logs.

Below is data emulation you can play with and compare with your real data.

| makeresults
| eval _raw = "code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE."
``` data emulation above ```

 

Tags (2)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-29-2023 06:41 AM 
| rex max_match=0 "code\s*=\s*(?<code>\S+)"
| stats count by code
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-29-2023 06:35 AM

Hi @ABHAYA,

if you have all the fields in the same event, you have to divide it using something like this:

| makeresults 
| eval _raw="code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE."
| rex max_match=0 "(?<event>[^,\.]+)"
| mvexpand event
| rex field=event "code\s*\=\s*(?<code>\w*)"
| rex field=event "status\s*\=\s*(?<status>\w*)"
| stats count BY code status

when you arrive at the last raw, you can aggregate as you like.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...