Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need a query to find count of substring within string

caschmid
New Member
‎06-10-2025 10:03 AM

I need a query that will tell me the count of a substring within a string like this ...

"This is my [string]" and I need find the word and count of [string]. "This is my" is always the same but [string] is dynamic and can be many things, such as apple, banana etc. I need tabular data returned to look like 

Word           Count

apple          3

I tried this but doesnt seem to working 

rex field=_raw ".*This is my (?<string>\d+).*" | stats count by string 

 

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Builder
‎06-10-2025 08:50 PM

@caschmid 

\d+ matches only digits, not any word.

If "This is my" is always constant, you can try below
rex field=_raw "This is my (?<string>\w+)" | stats count by string


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-10-2025 03:36 PM

Two problems with your regex.

  1. \d represents a digit 0-9.  Unless your "string" only includes digits, \d+ will not match.
  2. As @livehybrid notes, your original string includes a pair of square brackets.

A usable code to extract "apple" from "This is my [apple]" would be

| rex "This is my \[(?<string>[^\]]+)\]"
| stats count by string

Note:

  • _raw is the default field for rex command.
  • .* at beginning and end of a regex serves no purpose except adding cost.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-10-2025 03:35 PM

In addition to the other comments, you don't need the .* at the start and end of the regex

0 Karma
Reply

livehybrid
Ultra Champion
‎06-10-2025 01:17 PM

Hi @caschmid 

Would something like this work for you? This assumes you know the string you want count, is that right?

livehybrid_0-1749586546263.png

 

| rex max_match=100 field=_raw "(?<extract>\[string\])"
| stats count by extract

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-10-2025 11:16 AM

Use https://regex101.com to verify your regexes.

In this case it won't work for "string" not being a number because \d+ means a sequence of digits. Depending on how precise you want to be with this match, you might want \S+ or some other variation.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...