Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need a query to find count of substring within string

caschmid
New Member
‎06-10-2025 10:03 AM

I need a query that will tell me the count of a substring within a string like this ...

"This is my [string]" and I need find the word and count of [string]. "This is my" is always the same but [string] is dynamic and can be many things, such as apple, banana etc. I need tabular data returned to look like 

Word           Count

apple          3

I tried this but doesnt seem to working 

rex field=_raw ".*This is my (?<string>\d+).*" | stats count by string 

 

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Motivator
‎06-10-2025 08:50 PM

@caschmid 

\d+ matches only digits, not any word.

If "This is my" is always constant, you can try below
rex field=_raw "This is my (?<string>\w+)" | stats count by string


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-10-2025 03:36 PM

Two problems with your regex.

  1. \d represents a digit 0-9.  Unless your "string" only includes digits, \d+ will not match.
  2. As @livehybrid notes, your original string includes a pair of square brackets.

A usable code to extract "apple" from "This is my [apple]" would be

| rex "This is my \[(?<string>[^\]]+)\]"
| stats count by string

Note:

  • _raw is the default field for rex command.
  • .* at beginning and end of a regex serves no purpose except adding cost.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-10-2025 03:35 PM

In addition to the other comments, you don't need the .* at the start and end of the regex

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-10-2025 01:17 PM

Hi @caschmid 

Would something like this work for you? This assumes you know the string you want count, is that right?

livehybrid_0-1749586546263.png

 

| rex max_match=100 field=_raw "(?<extract>\[string\])"
| stats count by extract

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-10-2025 11:16 AM

Use https://regex101.com to verify your regexes.

In this case it won't work for "string" not being a number because \d+ means a sequence of digits. Depending on how precise you want to be with this match, you might want \S+ or some other variation.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Top