In Splunk how to find the number of words based on...

rboya · ‎07-28-2020

Hi Have an event like this shown below

How will I get the count of the words based on separator of a specific field value. And adding some new number to the count received and assign it to a new field value.

example for above log i will get 8 as count based on | separator(separator count+1). Now i will add 2 to the count(8+2) and the value to be updated to a new splunk field.

This will help in calculating if any event that is crossing the threshold of that value then i can trigger an alert.

Some one please help me in getting this.

bowesmana · ‎07-29-2020

You can count the words by using mvcount on the split field as below

| makeresults
| eval Message="Hello|myname|name|is|Alice|myName|is|bob"
| eval wordCount=mvcount(split(Message,"|"))

then you can do whatever you like to the wordCount, so in your example just add the two as part of the eval statement

| makeresults
| eval Message="Hello|myname|name|is|Alice|myName|is|bob"
| eval wordCount=mvcount(split(Message,"|"))+2

Hope this helps

In Splunk how to find the number of words based on the a pipe separator and add a value to it and assign it to a new fil

count

eval

regex

rex

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials