Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need a query to find count of substring within string

caschmid
New Member
‎06-10-2025 10:03 AM

I need a query that will tell me the count of a substring within a string like this ...

"This is my [string]" and I need find the word and count of [string]. "This is my" is always the same but [string] is dynamic and can be many things, such as apple, banana etc. I need tabular data returned to look like 

Word           Count

apple          3

I tried this but doesnt seem to working 

rex field=_raw ".*This is my (?<string>\d+).*" | stats count by string 

 

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Builder
‎06-10-2025 08:50 PM

@caschmid 

\d+ matches only digits, not any word.

If "This is my" is always constant, you can try below
rex field=_raw "This is my (?<string>\w+)" | stats count by string


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-10-2025 03:36 PM

Two problems with your regex.

  1. \d represents a digit 0-9.  Unless your "string" only includes digits, \d+ will not match.
  2. As @livehybrid notes, your original string includes a pair of square brackets.

A usable code to extract "apple" from "This is my [apple]" would be

| rex "This is my \[(?<string>[^\]]+)\]"
| stats count by string

Note:

  • _raw is the default field for rex command.
  • .* at beginning and end of a regex serves no purpose except adding cost.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-10-2025 03:35 PM

In addition to the other comments, you don't need the .* at the start and end of the regex

0 Karma
Reply

livehybrid
Ultra Champion
‎06-10-2025 01:17 PM

Hi @caschmid 

Would something like this work for you? This assumes you know the string you want count, is that right?

livehybrid_0-1749586546263.png

 

| rex max_match=100 field=_raw "(?<extract>\[string\])"
| stats count by extract

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-10-2025 11:16 AM

Use https://regex101.com to verify your regexes.

In this case it won't work for "string" not being a number because \d+ means a sequence of digits. Depending on how precise you want to be with this match, you might want \S+ or some other variation.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top