Solved: How to return count of certain text using Splunk ...

ABHAYA · ‎05-29-2023

I have an input string which contains strings like code =test1 description=test1 description status = pending,code =test2 description=test2 description status = COMPLTED, code =test3 description=test3 description status = COMPLETED_FIRST,code =test2 description=test2 description status = COMPLTED,

Expected Ouput

Code count

test2 2

test3 1

Basically i am looking for whose status is completed or starts with completed word those code name and completion count in the result. Can anyone please help me on this.

gcusello · ‎05-29-2023

Hi @ABHAYA,

if you have all the fields in the same event, you have to divide it using something like this:

| makeresults 
| eval _raw="code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE."
| rex max_match=0 "(?<event>[^,\.]+)"
| mvexpand event
| rex field=event "code\s*\=\s*(?<code>\w*)"
| rex field=event "status\s*\=\s*(?<status>\w*)"
| stats count BY code status

when you arrive at the last raw, you can aggregate as you like.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎05-29-2023

Hi @ABHAYA.,

if you want to know only the codes where the status is "COMPLETED", you could run:

index=your_index status=COMPLETED
| stats count BY Code

if you want also add all the information about status, you could run:

index=your_index
| stats count BY Code status

Ciao.

Giuseppe

ABHAYA · ‎05-29-2023

code =test1 description=test1 description status = pending,code =test2 description=test2 description status = COMPLTED, code =test3 description=test3 description status = COMPLETED_FIRST,code =test2 description=test2 description status = COMPLTE. This input is a single string. I do not have data in table format.I tried with the solution provided by you .it is not working

yuanliu · ‎05-30-2023

Luckily each test segment is delimited by comma. You can use that to break the raw input into individual events, like this:

| eval data = split(_raw, ",")
| mvexpand data
| rename data AS _raw
| extract

Ultimately, though, your developer should consider breaking the events in raw logs.

Below is data emulation you can play with and compare with your real data.

| makeresults
| eval _raw = "code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE."
``` data emulation above ```

ITWhisperer · ‎05-29-2023

| rex max_match=0 "code\s*=\s*(?<code>\S+)"
| stats count by code

gcusello · ‎05-29-2023

Hi @ABHAYA,

if you have all the fields in the same event, you have to divide it using something like this:

| makeresults 
| eval _raw="code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE."
| rex max_match=0 "(?<event>[^,\.]+)"
| mvexpand event
| rex field=event "code\s*\=\s*(?<code>\w*)"
| rex field=event "status\s*\=\s*(?<status>\w*)"
| stats count BY code status

when you arrive at the last raw, you can aggregate as you like.

Ciao.

Giuseppe

How to return count of certain text using Splunk regular expression?

field extraction

regex

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)