In Splunk how to find the number of words based on...

rboya · ‎07-28-2020

Hi Have an event like this shown below

How will I get the count of the words based on separator of a specific field value. And adding some new number to the count received and assign it to a new field value.

example for above log i will get 8 as count based on | separator(separator count+1). Now i will add 2 to the count(8+2) and the value to be updated to a new splunk field.

This will help in calculating if any event that is crossing the threshold of that value then i can trigger an alert.

Some one please help me in getting this.

bowesmana · ‎07-29-2020

You can count the words by using mvcount on the split field as below

| makeresults
| eval Message="Hello|myname|name|is|Alice|myName|is|bob"
| eval wordCount=mvcount(split(Message,"|"))

then you can do whatever you like to the wordCount, so in your example just add the two as part of the eval statement

| makeresults
| eval Message="Hello|myname|name|is|Alice|myName|is|bob"
| eval wordCount=mvcount(split(Message,"|"))+2

Hope this helps

In Splunk how to find the number of words based on the a pipe separator and add a value to it and assign it to a new fil

count

eval

regex

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!