Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In Splunk how to find the number of words based on the a pipe separator and add a value to it and assign it to a new fil

rboya
Loves-to-Learn
‎07-28-2020 11:58 AM

Hi Have an event like this shown below

Today's Greeting Message=Hello|myname|name|is|Alice|myName|is|bob Good bye for today

The have a field name Message and its value is Hello|myname|name|is|Alice|myName|is|bob

How will I get the count of the words based on separator of a specific field value. And adding some new number to the count received and assign it to a new field value.

example for above log i will get 8 as count based on | separator(separator count+1).  Now i will add 2 to the count(8+2) and the value to be updated to a new splunk field.

This will help in calculating if any event that is crossing the threshold of that value then i can trigger an alert.

Some one please help me in getting this.

Labels (4)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-29-2020 01:18 AM

You can count the words by using mvcount on the split field as below

| makeresults
| eval Message="Hello|myname|name|is|Alice|myName|is|bob"
| eval wordCount=mvcount(split(Message,"|"))

then you can do whatever you like to the wordCount, so in your example just add the two as part of the eval statement

| makeresults
| eval Message="Hello|myname|name|is|Alice|myName|is|bob"
| eval wordCount=mvcount(split(Message,"|"))+2

  Hope this helps

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...