Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return count of certain text using Splunk regular expression?

ABHAYA
Path Finder
‎05-29-2023 05:31 AM

I have an input string  which contains strings like code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTED,

Expected Ouput 

Code   count 

test2     2

test3      1

Basically i  am looking for whose status is completed or starts with completed word  those code name and completion count in the result. Can anyone please help me on this.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-29-2023 06:35 AM

Hi @ABHAYA,

if you have all the fields in the same event, you have to divide it using something like this:

| makeresults 
| eval _raw="code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE."
| rex max_match=0 "(?<event>[^,\.]+)"
| mvexpand event
| rex field=event "code\s*\=\s*(?<code>\w*)"
| rex field=event "status\s*\=\s*(?<status>\w*)"
| stats count BY code status

when you arrive at the last raw, you can aggregate as you like.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-29-2023 05:54 AM

Hi @ABHAYA.,

if you want to know only the codes where the status is "COMPLETED", you could run:

index=your_index status=COMPLETED
| stats count BY Code

if you want also add all the information about status, you could run:

index=your_index
| stats count BY Code status

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ABHAYA
Path Finder
‎05-29-2023 06:19 AM

code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE. This  input is a single string. I do not have  data in table format.I tried with the solution provided by you .it is not working

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎05-30-2023 12:31 AM

Luckily each test segment is delimited by comma.  You can use that to break the raw input into individual events, like this:

| eval data = split(_raw, ",")
| mvexpand data
| rename data AS _raw
| extract

Ultimately, though, your developer should consider breaking the events in raw logs.

Below is data emulation you can play with and compare with your real data.

| makeresults
| eval _raw = "code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE."
``` data emulation above ```

 

Tags (2)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-29-2023 06:41 AM 
| rex max_match=0 "code\s*=\s*(?<code>\S+)"
| stats count by code
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-29-2023 06:35 AM

Hi @ABHAYA,

if you have all the fields in the same event, you have to divide it using something like this:

| makeresults 
| eval _raw="code =test1  description=test1 description status = pending,code =test2  description=test2 description status = COMPLTED, code =test3  description=test3 description status = COMPLETED_FIRST,code =test2  description=test2 description status = COMPLTE."
| rex max_match=0 "(?<event>[^,\.]+)"
| mvexpand event
| rex field=event "code\s*\=\s*(?<code>\w*)"
| rex field=event "status\s*\=\s*(?<status>\w*)"
| stats count BY code status

when you arrive at the last raw, you can aggregate as you like.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...